AnsweredAssumed Answered

Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Privilege Escalation Vulnerability

Question asked by adamc on May 3, 2017
Latest reply on May 11, 2017 by Constantine Vorobetz

QID 43506 (CVE-2017-5689) - I am questioning the validity of the detection logic currently being used by Qualys as detailed from Intel.  Has Qualys validated their detection logic is true, making the details provided from SANS inaccurate?

 

From SANS:

 

The more we look at this though, the more it seems that any host with a vulnerable version of the service installed is itself vulnerable (see below).  Many vendors install the affected Intel code as part of their factory image.  So the "does not exist on consumer PCs" statement does not hold water for me.

Anyway, the affected / resolved firmware version (from the Intel advisory) is here:

Yes, that's all the way back to gen 1 Core CPUs (Nehalem era , 2007) right up to the latest Kaby Lake chips.

Intel released an update on April 25, and advises that the system or system board manufacturers should be releasing their firmware versions to affected customers.  That is, if your vendor releases a patch for your system - there are a LOT of older computers out there - and newer ones too - that will likely never see this update!

Intel has published a mitigation guide and it can be accessed online [2]. One item of note from the guide is checking to see if ports are listening with netstat. The IANA assigned ports are: 16992, 16993, 16994, 16995, 623, and 664.

 

Do you have Intel AMT? Then you have a problem today! Intel Active Management Technology INTEL-SA-00075 - SANS Interne… 

 

From  Qualys/INTEL-SA-00075:

 

THREAT:A privilege escalation vulnerability resides in Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology, which may allow an unprivileged attacker to gain control of the manageability features provided by these products.

Affected Versions:
Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability.

QID Detection Logic:
Intel AMT when enabled exposes its version remotely on TCP ports 16992, 16993. This QID matches vulnerable versions based on the exposed information.

 

IMPACT:An attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM).SOLUTION:The vendor has released an updated firmware to fix the vulnerability. Please refer to Intel advisory INTEL-SA-00075

for details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

INTEL-SA-00075

Intel® Product Security Center 

Outcomes