Intel AMT Vulnerability Tracking Page
This page will be maintained to collect information, fixes, and analyses of the Intel AMT Firmare remote code execution vulnerability of May 1, 2017 (CVE-2017-5689). Please link to this page, rather than any of the sub-pages. The content is likely to be split to several pages over the coming weeks as more information becomes available. Fixes, instructions, and links to updated firmware by vendors will also be collected here.
Every IT administrator should read this page or otherwise familiarize themselves with the vulnerability and how to address it. Home users and non-IT, non-security folks can mostly ignore this. However, some high-end laptops and desktops are also affected and we will be posting information here as it becomes available.
What is Intel AMT / Intel Management Engine?
Active Management Technology (AMT) enables remote management of the servers, including remote operating system installation. It is included in all modern Intel Xeon processors and associated chipsets.
A pretty good description of how AMT works can be found here.
The Intel Management Engine (ME) is a separate processor in the chipset on the motherboard. It runs a TCP/IP stack and web server distinct from the operating system on the computer. The Management Engine can be active even when the server is powered off and while an operating system is running on the server. It can piggyback on the same network interfaces used by the host operating systems, or it can be used from a dedicated interface on the motherboard.
Any server based on Intel processors manufactured since 2009 includes AMT (though the vulerability apparently only started shipping in 2011). In practice, this means all Intel processor based servers and lots of other equipment, such as firewalls, security appliances, key management vaults (such as HSM), and digital telephone networks.
The basic idea of AMT is that an auxiliary processor in the chipset uses the server's network interfaces to obtain an IP address from the network and listen for connections. A system administrator (or anyone) can then connect to the server at this IP address and read/write memory and disk. Parts of the technology operate on bare hardware; parts rely on add-on modules installed within operating systems.
Essentially, AMT allows remote access to the system's memory and disk over the network while the operating system is running. It well known that a system can easily be hacked, password logins overridden, encryption keys obtained, and malware installed using DMA attacks. Any attack that can be performed over DMA can be performed using AMT, but it does not end there. Thus, protection of access to AMT is extremely critical for server and data security.
Intel Security Advisory on
Privilege Escalation Vulnerability in AMT
Intel released a security advisory on May 1, 2017 regarding a privilege escalation vulnerability in AMT. It has a CVSSv3 score of 9.8, which means an extremely critical vulnerability, exacerbated by how widely the technology is deployed, used, enabled, and how critical the systems utilizing it are.
Intel itself classifies the vulnerability in the following CVSSv3 vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The PR:N part means that no privileges are needed to exploit the vulnerability over the network. Thus, it is not really a privilege escalation, but an outright remote code execution vulnerability.
CERT Advisory on Intel AMT Firmware Vulnerability
CERT (United States Computer Emergency Readiness Team) released a short statement based on the Intel advisory on May 1, 2017.
CERT has also released Vulnerability Note VU#491375 on the topic. It contains information about specific vendors (also see below).
German DFN-CERT has released a similar advisory DFN-CERT-2017-0755.
National Vulnerability Database: CVE-2017-5689
The National Vulnerability Database (NVD), maintained by NIST (National Institute of Technology), as assigned case number CVE-2017-5689 to this dictionary. This page can be expected to receive further information about the vulnerability in the near future.
Affecting every Intel server out there with remote management enabled. That, in practice, is every server in many data centers.
DETAILS OF THE EXPLOIT, Now called
Silent Bob is Silent
The detailed description with an illustration of the exploit was published on May 8, 2017. See Embedi white paper on the Intel AMT Vulnerability Exploitation details.
Apparently Tenable also found the vulnerability based on the already released information, and many others may have been able to discover it as well. Perhaps this forced the unfortunately early release of the details.
In essence, the web user interface uses HTTP digest authentication for the
admin account. Send an empty digest response, and you are in. That simple. About five lines of Python. Maybe ten if you make it pretty.
This is like giving everyone with intranet access kernel-level privileges on every server whose AMT port they can communicate with (including janitors who can plug into the internal network). This also means
root access to every virtual machine, container, and database running on those servers. (People with internal firewalls and dedicated management networks are in a better position!)
If your Active Directory server's AMT port can be accessed, this is like giving every internal user
Domain Administrator rights to your domains.
For an exploit implemented with Burpsuite, see here.
Detection and Mitigating the Vulnerability
Some early guides for mitigating the vulnerability are available, even if no real fix is yet publicly accessible.
- Intel's Detection Guide
- Intel's Mitigation Guide
- NMAP script for scanning for hosts with vulnerable AMT
- Open source detection tool for Linux, works over network
As of May 3, 2017, Intel says it has delivered a fix to its OEM partners. On May 5, HP's page says it is waiting for updated firmware from Intel. No OEM partner has yet released new firmware to the public. Thus, right now we are limited to mitigating the impact of the vulnerability.
Vendors who have given dates currently estimate firmware update availability dates in the May 9 to June 17 range.
Generally, the attacker needs to be able to communicate with the management port. Environments where the management port is only accessible from a separate management network are of particular concern.
Temporary Mitigation While Waiting for Patches
As a temporary mitigation while waiting for patches, disable AMT where you can. Start from the most critical servers: Active Directory, certificate authorities, critical databases, code signing servers, firewalls, security servers, HSMs (if they have it enabled). For data centers, if you can, block ports 16992, 16993, 16994, 16995, 623, 664 in internal firewalls now.
If you have anything connected to the Internet with AMT on, disable it now. Assume the server has already been compromised.
Firewalls and Security Appliances May Be Affected
Many firewalls run on Intel hardware and may be affected. Some firewalls use management ports for failover. It is critically important to ensure that firewalls are patched as quickly as possibly and that their AMT ports are not accessible to any unauthorized party.
Other security appliances may also be impacted. For example, intrusion detection systems, network traffic recording systems, key management systems, hardware security modules (HSM), and certificate authorities typically run on Intel server hardware. Also, Active Directory servers run on normal server hardware and control access to the all systems in the whole enterprise.
Cloud server hardware often has AMT enabled. This can give attackers unlimited access to the hypervisor and cloud provisioning systems. Attacks similar to DMA attacks can be used to control virtual machines under the hypervisor. Keys and sensitive data could be compromised, and backdoors and malware could be permanently installed in Dom0 (hypervisor), in virtual machines, or in provisioning systems.
It is probably advisable to disable any remote management ports on any security appliances wherever feasible.
Discovery of the Vulnerability and Increase in Port Scans for It Prior to Disclosure
Discovery of the vulnerability is attributed to Embedi researcher Maks Malyutin. The vulnerability is said to have been discovered in mid-February, and reported to Intel on March 3. Intel published its advisory about it on May 1, 2017.
However, Internet scans for for ports 16992 and 16993 associated with AMT started skyrocketing already in March and April.
Semiaccurate has published an excellent article about the details, impacts, and history of this vulnerability. The author, Charlie Demerjian, claims to have known of the vulnerability for over five years and having discussed it with dozens of Intel representatives but been unable to publish it.
Vulnerability or Backdoor
One is left wondering if Intel only released the vulnerability now because it had leaked and port scans for it had escalated in a way that forced its hand. This kind of vulnerability is extremely valuable for intelligence and cyberwarfare operations, and various conspiracy theories abound. In any case, if it is true that Intel has known of the vulnerability for years, then it can only be considered an intentional backdoor.
This is exactly the kind of vulnerability one could imagine intelligence agencies trying to push vendors to leave in their code. In any case, we may see immeasurable damanage as malware starts utilizing this on a large scale on internal networks.
The AMT ports are usually not visible to the public Internet. One researcher was quoted saying there are
only 7000 servers on the public Internet that this affects. However, the security impact on internal networks and with respect to insider threats and malware is massive. The most critical business processes and most critical data in organizations runs on servers affected by this. This compromises both the confidentiality and integrity of the data as well as software (including operating systems, privileged processes, and encryption software) on the systems. This enables installing persistent threats on the affected systems, such as malware, virtualized rootkits, or disk drive firmware malware. It is perfect for large-scale cyberwarfare.
Port Numbers Associated with the Vulnerability
According to CERT VU#491375, AMT listens for remote commands on several known ports. Intel's documentation mentions that ports 16992 and 16993 allow web GUI interaction with AMT. Other ports that may be used by AMT include 16994 and 16995, and 623, and 664.
Information About Specific Vendors
Fujitsu has published an advisory identifying some of their models as vulnerable.
Fujitsu has also published a patched version of the firmware. First vendor that I've seen publish a new version. For more information, see their support page.
Cisco says their UCS servers both Blade and Chassis variants are NOT affected, as they use Intel Server Platform Services (SPS) and not AMT, ISM, or SBT. Cisco says Intel has said SPS is not affected by this vulnerability.
HPE (Hewlett-Packard Enterprise) Servers
Some Proliant and Edgeline models have been confirmed to be vulnerable. Serveral other models under investigation. See HPE Advisory. Several models still said to be under investigation. HP Enterprise says it is waiting for updated firmware from Intel. No patch availability date known yet.
HP (Hewlett-Packard) Laptops & Desktops
HP has published an advisory listing some of their laptops and desktops as vulnerable. Patches for many platforms are already available! The HP advisory contains links to downloads to upgrade firmware.
Lenovo has confirmed the vulnerability affects some of their models. Some Thinkpads and various other laptops are also affected. The above referenced page contains links to information about specific models and available downloads for updated firmware. The Lenovo advisory indicates expected availability dates from May 9 to June 17 for various models.
??? no information yet as of May 19
IBM X-Force Threat Insights Monthly discusses the Intel AMT Vulnerability on pages 3-6 and evaluates its potential for use in rootkits.
Some Supermicro motherboards clearly support Intel AMT according to their web site. This seems to at least include various workstation motherboards.
An answer in their FAQ for one particular motherboard says that motherboard is not affected because it is a server model and they use Intel SPS (Server Platform Services) on that motherboard.
As of May 19, I have not yet been able to find an official statement or list of affected models or any information about patch availability for Supermicro.
Dell has issued a statement listing dozens of vulnerable models and estimated patch availability dates. The dates range from May 17 to June 7, 2017, depending on the model. Patches are said to be available from their support page.
Dell has also issued this advisory about certain PowerEdge models.
Discussion on Dell support forum suggests that Dell is only going to issue an upgrade for systems having a vPro CPU, even though Intel's tool apparently indicates some other systems as vulnerable as well.
See also article in The Register on Dell patching the AMT vulnerability. The article contains links to useful resources.
NCR has said that they have been using Intel AMT in ATMs (Automatic Teller Machines) since 2011 and are preparing a patch. Thus, thousands and thousands of ATMs out there are vulnerable to AMT attacks. Operators of ATM networks need to urgently address this, either by firewalling of the ATM networks or turning off AMT in them. There have been multiple reported incidents in the past where ATM networks have been penetrated by attackers, so firewalling off may not be a sufficient solution in all cases.
There have been many attacks where hackers have installed their own malicious code in ATMs through various vulnerabilities. The last such attach was published only a few days ago. The Intel AMT vulnerability could permit installing such code throughout the entire ATM network if access to the network is obtained at some point, limited only by internal firewalls.
See NCR advisory with specific instructions for mitigating the issue.
BIOS updates for NCR products can apparently be downloaded from their support page. The page says patches for the Intel AMT vulnerability should be available on May 26.
??? No information yet as of May 19
See list of Intel desktop boards that are impacted. Intel says they will be publishing an update on May 17, 2017.
Alleged new drivers posted at www.win-raid.com. (Note: I am not familiar with the domain and do not endorse this source. Use at your own risk.)
See the this tweet about new Intel drivers.
I have been told by some people that Apple would not use AMT, but I have not seen any statement from the vendor so this is unconfirmed as of May 19.
- Razer Blade (gaming laptop) reported NOT VULNERABLE by @_wirepair
- Purism laptops not vulnerable
Early and Notable Articles on the Topic
- Security Ledger: Intel Fixes Nightmarish Firmware Flaw But Nobody's Safe
- Threatpost: Baseless Assumptions Exist about Intel AMT Vulnerability
- Threatpost: Intel Patched Nine-Year-Old Critical CPU Vulnerability
- Intel's AMT Vulnerability Shows Intel's Management Engine Can Be Dangerous
- Intel chip vulnerability sends corporate cyber teams scrambling
- Hackernews article explaining details of the Intel AMT Vulnerability
- How to remote hijack computers using Intel's insecure chips: Just use an empty login string
How to Deactivate AMT
- May 2, 2017 Disabling Intel AMT on Windows (and a Simpler CVE-2017-5689 Mitigation Guide
- As of May 1, 2017, Linux mitigation guide not yet available, but Intel working on it
- July 30, 2015 How to completely deactivate Intel AMT
Security Tools Related to AMT
Prior Vulnerabilities, Backdoors, and Rootkits Related to AMT
- July 1, 2016 Is the Intel Management Engine a Backdoor?
- July 27, 2009 Invisible Things Lab to present two new technical presentations disclosing system-level vulnerabilities affecting modern PC hardware at its core
- 08-09-2012 Intel AMT Backdoor Enabled by Default
- May 15, 2012 Intel Small Business Advantage is a security nightmare
- Oct 18, 2015 Intel AMT
- Aug 22, 2013: IPMI: Freight Train to Hell
- Jun 15, 2016: Intel x86s hide another CPU that can take over your machine (you can't audit it)
- Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2008 Certification Authority
- How to Provision and Configure AMT-Based Computers in Configuration Manager
- Provisioning Certificates for Intel Active Management Technology (Intel AMT)
- Security Best Pratices of Intel's Active Management Technology Q&A
- Intel Active Management Technology 7.0 Adminisrator Guide
- Do you have Intel AMT? (from SANS - also mentions the spike in port scanning since March)
More Technical Background
- I. Skochinsky: The Rootkit in Your Laptop: Hidden code in your chipset and how to discover what exactly it does
- I. Skochinsky: Secret of Intel Management Engine
- I. Skochinsky: Intel ME: Two Years Later
- F. Zhang and H. Zhang: SoK: A Study of Using Hardware-assisted Isolated Execution Environments for Security
- X. Ryan: The Engine: Safeguarding Itself before Safeguarding Others
- P. Stevin and I. Bystrov: Understanding DMA Malware.
- J. Rutkowska: Intel x86 Considered Harmful
- Chipset Based Detection and Removal of Virtualization Malware a.k.a. DeepWatch
From Slashdot, June 17, 2016:
An Intel spokesperson told the publication: While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure. Intel has a defined set of policies and procedures, managed by a dedicated team, to actively monitor and respond to vulnerabilities identified in released products. In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise
Right. Time to make AMT source code available to the public for verification, thank you.