Your browser does not support HTML5 local storage or you have disabled it. Some functionality on this site, including saving your privacy settings and offering you special discounts, uses local storage and may not work with local storage disabled. We recommend allowing the use of local storage in your browser. In some browsers, it is the same setting used for disabling cookies.

Intel AMT Vulnerability Tracking Page

This page will be maintained to collect information, fixes, and analyses of the Intel AMT Firmare remote code execution vulnerability of May 1, 2017 (CVE-2017-5689). Please link to this page, rather than any of the sub-pages. The content is likely to be split to several pages over the coming weeks as more information becomes available. Fixes, instructions, and links to updated firmware by vendors will also be collected here.

Every IT administrator should read this page or otherwise familiarize themselves with the vulnerability and how to address it. Home users and non-IT, non-security folks can mostly ignore this. However, some high-end laptops and desktops are also affected and we will be posting information here as it becomes available.

This page is maintained by Tatu Ylonen, @tjssh at @SSH on twitter. Tweet me if you have updates or notice errors.

What is Intel AMT / Intel Management Engine?

Active Management Technology (AMT) enables remote management of the servers, including remote operating system installation. It is included in all modern Intel Xeon processors and associated chipsets.

A pretty good description of how AMT works can be found here.

The Intel Management Engine (ME) is a separate processor in the chipset on the motherboard. It runs a TCP/IP stack and web server distinct from the operating system on the computer. The Management Engine can be active even when the server is powered off and while an operating system is running on the server. It can piggyback on the same network interfaces used by the host operating systems, or it can be used from a dedicated interface on the motherboard.

Any server based on Intel processors manufactured since 2009 includes AMT (though the vulerability apparently only started shipping in 2011). In practice, this means all Intel processor based servers and lots of other equipment, such as firewalls, security appliances, key management vaults (such as HSM), and digital telephone networks.

The basic idea of AMT is that an auxiliary processor in the chipset uses the server's network interfaces to obtain an IP address from the network and listen for connections. A system administrator (or anyone) can then connect to the server at this IP address and read/write memory and disk. Parts of the technology operate on bare hardware; parts rely on add-on modules installed within operating systems.

Essentially, AMT allows remote access to the system's memory and disk over the network while the operating system is running. It well known that a system can easily be hacked, password logins overridden, encryption keys obtained, and malware installed using DMA attacks. Any attack that can be performed over DMA can be performed using AMT, but it does not end there. Thus, protection of access to AMT is extremely critical for server and data security.

Intel Security Advisory on Privilege Escalation Vulnerability in AMT

Intel released a security advisory on May 1, 2017 regarding a privilege escalation vulnerability in AMT. It has a CVSSv3 score of 9.8, which means an extremely critical vulnerability, exacerbated by how widely the technology is deployed, used, enabled, and how critical the systems utilizing it are.

Intel itself classifies the vulnerability in the following CVSSv3 vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The PR:N part means that no privileges are needed to exploit the vulnerability over the network. Thus, it is not really a privilege escalation, but an outright remote code execution vulnerability.

CERT Advisory on Intel AMT Firmware Vulnerability

CERT (United States Computer Emergency Readiness Team) released a short statement based on the Intel advisory on May 1, 2017.

CERT has also released Vulnerability Note VU#491375 on the topic. It contains information about specific vendors (also see below).

German DFN-CERT has released a similar advisory DFN-CERT-2017-0755.

National Vulnerability Database: CVE-2017-5689

The National Vulnerability Database (NVD), maintained by NIST (National Institute of Technology), as assigned case number CVE-2017-5689 to this dictionary. This page can be expected to receive further information about the vulnerability in the near future.

Affecting every Intel server out there with remote management enabled. That, in practice, is every server in many data centers.

Details of the Exploit, Now called Silent Bob is Silent

The detailed description with an illustration of the exploit was published on May 8, 2017. See Embedi white paper on the Intel AMT Vulnerability Exploitation details.

Apparently Tenable also found the vulnerability based on the already released information, and many others may have been able to discover it as well. Perhaps this forced the unfortunately early release of the details.

In essence, the web user interface uses HTTP digest authentication for the admin account. Send an empty digest response, and you are in. That simple. About five lines of Python. Maybe ten if you make it pretty.

This is like giving everyone with intranet access kernel-level privileges on every server whose AMT port they can communicate with (including janitors who can plug into the internal network). This also means root access to every virtual machine, container, and database running on those servers. (People with internal firewalls and dedicated management networks are in a better position!)

If your Active Directory server's AMT port can be accessed, this is like giving every internal user Domain Administrator rights to your domains.

For an exploit implemented with Burpsuite, see here.

Detection and Mitigating the Vulnerability

Some early guides for mitigating the vulnerability are available, even if no real fix is yet publicly accessible.

As of May 3, 2017, Intel says it has delivered a fix to its OEM partners. On May 5, HP's page says it is waiting for updated firmware from Intel. No OEM partner has yet released new firmware to the public. Thus, right now we are limited to mitigating the impact of the vulnerability.

Vendors who have given dates currently estimate firmware update availability dates in the May 9 to June 17 range.

Generally, the attacker needs to be able to communicate with the management port. Environments where the management port is only accessible from a separate management network are of particular concern.

Temporary Mitigation While Waiting for Patches

As a temporary mitigation while waiting for patches, disable AMT where you can. Start from the most critical servers: Active Directory, certificate authorities, critical databases, code signing servers, firewalls, security servers, HSMs (if they have it enabled). For data centers, if you can, block ports 16992, 16993, 16994, 16995, 623, 664 in internal firewalls now.

If you have anything connected to the Internet with AMT on, disable it now. Assume the server has already been compromised.

Firewalls and Security Appliances May Be Affected

Many firewalls run on Intel hardware and may be affected. Some firewalls use management ports for failover. It is critically important to ensure that firewalls are patched as quickly as possibly and that their AMT ports are not accessible to any unauthorized party.

Other security appliances may also be impacted. For example, intrusion detection systems, network traffic recording systems, key management systems, hardware security modules (HSM), and certificate authorities typically run on Intel server hardware. Also, Active Directory servers run on normal server hardware and control access to the all systems in the whole enterprise.

Cloud server hardware often has AMT enabled. This can give attackers unlimited access to the hypervisor and cloud provisioning systems. Attacks similar to DMA attacks can be used to control virtual machines under the hypervisor. Keys and sensitive data could be compromised, and backdoors and malware could be permanently installed in Dom0 (hypervisor), in virtual machines, or in provisioning systems.

It is probably advisable to disable any remote management ports on any security appliances wherever feasible.

Discovery of the Vulnerability and Increase in Port Scans for It Prior to Disclosure

Discovery of the vulnerability is attributed to Embedi researcher Maks Malyutin. The vulnerability is said to have been discovered in mid-February, and reported to Intel on March 3. Intel published its advisory about it on May 1, 2017.

However, Internet scans for for ports 16992 and 16993 associated with AMT started skyrocketing already in March and April.

Semiaccurate has published an excellent article about the details, impacts, and history of this vulnerability. The author, Charlie Demerjian, claims to have known of the vulnerability for over five years and having discussed it with dozens of Intel representatives but been unable to publish it.

Vulnerability or Backdoor

One is left wondering if Intel only released the vulnerability now because it had leaked and port scans for it had escalated in a way that forced its hand. This kind of vulnerability is extremely valuable for intelligence and cyberwarfare operations, and various conspiracy theories abound. In any case, if it is true that Intel has known of the vulnerability for years, then it can only be considered an intentional backdoor.

This is exactly the kind of vulnerability one could imagine intelligence agencies trying to push vendors to leave in their code. In any case, we may see immeasurable damanage as malware starts utilizing this on a large scale on internal networks.

Impact

The AMT ports are usually not visible to the public Internet. One researcher was quoted saying there are only 7000 servers on the public Internet that this affects. However, the security impact on internal networks and with respect to insider threats and malware is massive. The most critical business processes and most critical data in organizations runs on servers affected by this. This compromises both the confidentiality and integrity of the data as well as software (including operating systems, privileged processes, and encryption software) on the systems. This enables installing persistent threats on the affected systems, such as malware, virtualized rootkits, or disk drive firmware malware. It is perfect for large-scale cyberwarfare.

Port Numbers Associated with the Vulnerability

According to CERT VU#491375, AMT listens for remote commands on several known ports. Intel's documentation mentions that ports 16992 and 16993 allow web GUI interaction with AMT. Other ports that may be used by AMT include 16994 and 16995, and 623, and 664.

Information About Specific Vendors

Fujitsu

Fujitsu has published an advisory identifying some of their models as vulnerable.

Fujitsu has also published a patched version of the firmware. First vendor that I've seen publish a new version. For more information, see their support page.

Cisco

Cisco says their UCS servers both Blade and Chassis variants are NOT affected, as they use Intel Server Platform Services (SPS) and not AMT, ISM, or SBT. Cisco says Intel has said SPS is not affected by this vulnerability.

HPE (Hewlett-Packard Enterprise) Servers

Some Proliant and Edgeline models have been confirmed to be vulnerable. Serveral other models under investigation. See HPE Advisory. Several models still said to be under investigation. HP Enterprise says it is waiting for updated firmware from Intel. No patch availability date known yet.

HP (Hewlett-Packard) Laptops & Desktops

HP has published an advisory listing some of their laptops and desktops as vulnerable. Patches for many platforms are already available! The HP advisory contains links to downloads to upgrade firmware.

Lenovo

Lenovo has confirmed the vulnerability affects some of their models. Some Thinkpads and various other laptops are also affected. The above referenced page contains links to information about specific models and available downloads for updated firmware. The Lenovo advisory indicates expected availability dates from May 9 to June 17 for various models.

IBM

??? no information yet as of May 19

IBM X-Force Threat Insights Monthly discusses the Intel AMT Vulnerability on pages 3-6 and evaluates its potential for use in rootkits.

Supermicro

Some Supermicro motherboards clearly support Intel AMT according to their web site. This seems to at least include various workstation motherboards.

An answer in their FAQ for one particular motherboard says that motherboard is not affected because it is a server model and they use Intel SPS (Server Platform Services) on that motherboard.

As of May 19, I have not yet been able to find an official statement or list of affected models or any information about patch availability for Supermicro.

Dell

Dell has issued a statement listing dozens of vulnerable models and estimated patch availability dates. The dates range from May 17 to June 7, 2017, depending on the model. Patches are said to be available from their support page.

Dell has also issued this advisory about certain PowerEdge models.

Discussion on Dell support forum suggests that Dell is only going to issue an upgrade for systems having a vPro CPU, even though Intel's tool apparently indicates some other systems as vulnerable as well.

See also article in The Register on Dell patching the AMT vulnerability. The article contains links to useful resources.

NCR

NCR has said that they have been using Intel AMT in ATMs (Automatic Teller Machines) since 2011 and are preparing a patch. Thus, thousands and thousands of ATMs out there are vulnerable to AMT attacks. Operators of ATM networks need to urgently address this, either by firewalling of the ATM networks or turning off AMT in them. There have been multiple reported incidents in the past where ATM networks have been penetrated by attackers, so firewalling off may not be a sufficient solution in all cases.

There have been many attacks where hackers have installed their own malicious code in ATMs through various vulnerabilities. The last such attach was published only a few days ago. The Intel AMT vulnerability could permit installing such code throughout the entire ATM network if access to the network is obtained at some point, limited only by internal firewalls.

Many of NCR's point-of-sale systems also use AMT. Thus, payment and credit card security may be compromised. Besides the security risk, this is a pci compliance issue.

See NCR advisory with specific instructions for mitigating the issue.

BIOS updates for NCR products can apparently be downloaded from their support page. The page says patches for the Intel AMT vulnerability should be available on May 26.

Oracle

??? No information yet as of May 19

Intel

See list of Intel desktop boards that are impacted. Intel says they will be publishing an update on May 17, 2017.

Alleged new drivers posted at www.win-raid.com. (Note: I am not familiar with the domain and do not endorse this source. Use at your own risk.)

See the this tweet about new Intel drivers.

F5 Networks

F5 Networks has determines their products are NOT AFFECTED. See vendor-specific information at CERT and F5 advisory.

Apple

I have been told by some people that Apple would not use AMT, but I have not seen any statement from the vendor so this is unconfirmed as of May 19.

Miscellaneous

Early and Notable Articles on the Topic

How to Deactivate AMT

AMT Guides

More Technical Background

Trust Us

From Slashdot, June 17, 2016:

An Intel spokesperson told the publication: While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure. Intel has a defined set of policies and procedures, managed by a dedicated team, to actively monitor and respond to vulnerabilities identified in released products. In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise

Right. Time to make AMT source code available to the public for verification, thank you.

Intel AMT - Vulnerability or Backdoor?