Critical Elevation of Privilege Vulnerability in Various INTEL Firmware

Topic

New Reply

Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege

Intel ID: INTEL-SA-00075
Product family: Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability
Impact of vulnerability: Elevation of Privilege
Severity rating: Critical
Original release: May 01, 2017
Last revised: May 19, 2017

 
Summary:

There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs. This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel® Server Platform Services (Intel® SPS), or Intel® Xeon® Processor E3 and Intel® Xeon® Processor E5 workstations utilizing Intel® SPS firmware.

For general guidance on this issue please see https://newsroom.intel.com/news/important-security-information-intel-manageability-firmware/

As Intel becomes aware of computer maker schedules for updated firmware this list will be updated:

HP Inc. – http://www8.hp.com/us/en/intelmanageabilityissue.html
HP Enterprise – http://h22208.www2.hpe.com/eginfolib/securityalerts/CVE-2017-5689-Intel/CVE-2017-5689.html
Lenovo – https://support.lenovo.com/us/en/product_security/LEN-14963
Fujitsu – http://support.ts.fujitsu.com/content/Intel_Firmware.asp
Dell Client – http://en.community.dell.com/techcenter/extras/m/white_papers/20443914
Dell EMC – http://en.community.dell.com/techcenter/extras/m/white_papers/20443937
Acer – https://us.answers.acer.com/app/answers/detail/a_id/47162
Asus – https://www.asus.com/News/uztEkib4zFMHCn5r
Panasonic – http://pc-dl.panasonic.co.jp/itn/info/osinfo20170512.html
Toshiba – https://support.toshiba.com/sscontent?contentId=4015668
Intel – NUC, Compute Stick and Desktop Boards

 
Description:

There are two ways this vulnerability may be accessed please note that Intel® Small Business Technology is not vulnerable to the first issue.

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).
CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 
Affected products:

The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability. Versions before 6 or after 11.6 are not impacted.

 
Read the full article here

4 users thanked author for this post.

SueW, Elly, satrow, MrBrian

Reply | Quote

Replies

zdnet.com article by Chris Duckett, May 2, 2017:
Intel AMT vulnerability hits business chips from 2008 onwards
Silicon giant releases new firmware to patch holes in separate management processor.

http://www.zdnet.com/article/intel-amt-vulnerability-hits-business-chips-from-2008-onwards/

Reply | Quote

Anyone want to take a bet that this will be revealed in the on-going dump from Wikileaks very soon?

And that Intel just got a bit of early warning about that?  (And the undisclosed bit will be that Wikileaks has a new secret financial backer . . . after all they did offer advance notice to companies that paid their toll.)

~ Group "Weekend" ~

1 user thanked author for this post.

woody

Reply | Quote

https://en.wikipedia.org/wiki/Intel_Active_Management_Technology

A hacker who can hack into Business PCs with Intel AMT is able to have full access into the PC because Intel AMT is a hardware firmware (not software) encryption technology built into the motherboard, eg the hacker is able to spy on the user, capture passwords, etc, independent of the OS being used.

Intel holds the source code for Intel AMT as proprietary and closed source, ie nobody knows how the hardware encryption technology works and the encryption keys except for Intel. The above vulnerability means Intel have been secretly hacked or there has been an insider leak by Intel employees since 2008.

Since 2013, AMD have also introduced similar technology called PSP or Platform Security Processor. Maybe, AMD’s PSP has also been hacked or leaked.

Reply | Quote

For affected systems, I believe this is as bad as the EternalBlue exploit for Windows systems.

1 user thanked author for this post.

Kirsty

Reply | Quote

From a tweet:

“Intel released their advisory yesterday, yet people started scanning for [port] 16992 or 16993 last month”

1 user thanked author for this post.

woody

Reply | Quote

From http://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/:

‘First a little bit of background. SemiAccurate has known about this vulnerability for literally years now, it came up in research we were doing on hardware backdoors over five years ago. What we found was scary on a level that literally kept us up at night. For obvious reasons we couldn’t publish what we found out but we took every opportunity to beg anyone who could even tangentially influence the right people to do something about this security problem. SemiAccurate explained the problem to literally dozens of “right people” to seemingly no avail. We also strongly hinted that it existed at every chance we had.

Various Intel representatives over the years took my words seriously, told me I was crazy, denied that the problem could exist, and even gave SemiAccurate rather farcical technical reasons why their position wasn’t wrong. Or dangerous. In return we smiled politely, argued technically, and sometimes, usually actually, were not so polite about our viewpoint. Unfortunately it all seems to have been for naught.’

2 users thanked author for this post.

Elly, woody

Reply | Quote

So this vulnerability is irrespective of OS installed? So should we expect firmware updates from manufacturers over the next (who knows) weeks/months? What about older systems?

Hmm..ironic really, NSA et al gaining access via intel firmware..intel from intel 🙁

Windows - commercial by definition and now function...

Reply | Quote

Yes, maybe, and probably not, respectively.

1 user thanked author for this post.

Microfix

Reply | Quote

So, intels version of the IoT has been running since 2008 on AMT, that’s nice to know.

Windows - commercial by definition and now function...

1 user thanked author for this post.

NetDef

Reply | Quote

@ Microfix

It’s mostly high-end Business PCs that have Intel’s AMT or ME(Management Engine) or vPro technology built-in to the Intel processors, eg for Secure Remote Management (through hardware encryption) of a company’s PC which may be physically located elsewhere, like at a branch office.
. . The out-of-location computer can be remotely accessed by the company owner or System Admin as long as it is plugged into the AC outlet, ie no need to be actually running. If compromised, hackers can also similarly access such computers remotely.

Consumers who buy high-end PCs, which usually cost above US$800, may have Intel AMT/vPro inside. The latest high-end AMD Ryzen processors have similar PSP technology inside or built-in.
. . Affected users should unplug their computers from the AC outlet when not using them. IOW, the computers are not really switched off during shutdown, as long as they are still plugged into the AC outlet.

Most refurbished Win XP/7 computers have Intel AMT/vPro inside, since they were mostly sourced from companies who had mothballed their Win XP computers when they upgraded to Win 7 or from companies using Win 7 computers who went bankrupt.

So, IoT devices are not affected by the Intel AMT vulnerability.

2 users thanked author for this post.

Elly, MrBrian

Reply | Quote

A quick check (https://en.wikipedia.org/wiki/Intel_AMT_versions) suggests this issue may be confined mostly to CPUs on Q series chipset motherboards, Qxxx, QMxxx and QSxxx, though there may be other Xeon -specific (Cxxx?) and also B series ‘boards as well. vPro/AMT features should be visible in the BIOS, when disabled and the AMT software drivers/software removed, I think that should disable/block any remote access to the vulnerable CPUs.

For businesses using this feature, it’s a big blow, ‘ordinary’ consumers should be affected much less.

If you have the Intel AMT software installed on a motherboard that doesn’t support AMT, it can be uninstalled from Device Manager if it doesn’t show up in (Add/Remove) Programs.

Obviously there will be further details/workarounds/checks publicised over the next day or so, keep your ear(s) to the ground!

4 users thanked author for this post.

Elly, HiFlyer, Microfix, MrBrian

Reply | Quote

This article, although Linux-oriented, seems to offer a good assessment:

http://mjg59.dreamwidth.org/48429.html

Kirsty wrote:

This vulnerability does not exist on Intel-based consumer PCs.

Some of us – myself included – run professional-grade hardware at home, such as ex-corporate workstations. I’m assuming that we may be vulnerable. I’ll be scanning for open ports on my home network as soon as I get the opportunity.

Reply | Quote

I don’t know if this has already been linked but Intel have published a mitigation Guide for those who wish to check for and workaround this issue: https://downloadcenter.intel.com/download/26754

1 user thanked author for this post.

NetDef

Reply | Quote

Thanks!

Reply | Quote

The Intel link above has a Vulnerability Checker, along with a list of “Resolved Firmware”.

The link given in #112379 is for the “mitigations” where there is no (resolved) firmware update for a particular OEM.

Recommendations: … Step 3: Intel highly recommends checking with your system OEM for updated firmware. Firmware versions that resolve the issue have a four digit build number that starts with a “3” (X.X.XX.3XXX) Ex: 8.1.71.3608.

2 users thanked author for this post.

Elly, satrow

Reply | Quote

When I first read about the Management Engine’s possible its purpose and possible ROM content, especially being a separate processor that takes priority above the general purpose CPU it was a bad idea. Every article written by talented folks that reverse engineer tech thought it was bad, now we have proof today.

Thanks for posting this; even though Intel says consumer systems are unaffected I’m checking anyway, considering all the recent events why should I believe them?

 

Reply | Quote

I was reading about this last night.

I have an older X58 Intel motherboard DX58SO2 with a i7-960 CPU. I do not remember installing any ME like I did on a later build with a Haswell i5-4670K. That had the ME in the BIOS update.

I guess I better get over to the Intel MB forum to see if I can glean more info before I try the vulnerability checker. I am not on a large network so it may not be an issue.

There is a lot of suspicion about the ME in some of the open source/Linux sites.

Reply | Quote

Nothing about any of the AMT, vPRO or ME in the documentation or in the BIOS of the MB (not even grayed out) or CPU. That is a First Gen i7. I suspect it is not an issue with that CPU/MB, plus the other issues do not apply either.

However, my Lenovo Gen4-i5 Laptop has all kinds of business related features.

Reply | Quote

Did you check Device Manager > System devices for ME?

3 users thanked author for this post.

Elly, Bill C., Kirsty

Reply | Quote

Thanks for the reminder. Nothing on the X58 MB box in device manager.

I have not fired up the laptop to check. I do not use it much. It main useage now is updating… 🙂

However I do remember that the Intel ME v9 was a requirement on the i5-4570K machine for the overclocking software from MSI to work. Installation required bootable media to flash the UEFI BIOS and update the ME. That machine is no longer mine, but is not on any network and is behind a router and firewall.

I am going to review the material I downloaded last night from the Intel Website.

Reply | Quote

Vendor statements are at http://www.kb.cert.org/vuls/id/491375.

1 user thanked author for this post.

Bill C.

Reply | Quote

From following that link, I clicked on Dell’s “Affected” link. That page says Dell are aware of the vulnerability and are diligently working on mitigation, and will release firmware update details as they become available.

From a SE search, I found a support question posted by a concerned owner. That response includes a graphic of affected systems (although it is unclear if that is fully inclusive of all affected systems), and a link to Intel’s Driver Update utility.

The Intel Driver Update utility page warns to update to the latest version of the utility, to mitigate a potential vulnerability in earlier versions of the update utility. My head’s starting to spin with all these vulnerabilities, and the speed they are being notified!

2 users thanked author for this post.

Elly, satrow

Reply | Quote

Chris M’s comment (from the Support question link) “None of your older systems have the vPro CPU so this doesn’t apply to you.” glosses over the issue – should anyone update their CPU to keep an older machine useful for a few more years, the cheapest way is to get hold of a 2nd hand CPU and server CPUs can be very cheap. For instance: upgrading to a Xeon E3 on a C-series chipset ‘board might make a ‘safe’ machine unsafe, unless steps are then taken to disable AMT/vPro remote access.

Just because it isn’t currently at risk doesn’t mean it’s ‘safe’ – it’s only dormant, because it’s not simply just about the current CPU.

Just because you don’t have the right CPU doesn’t mean you don’t already have the useless Intel ME driver/software installed, either. If you don’t need it installed, uninstall it and use Device Manager to ensure the drivers are uninstalled as well.

1 user thanked author for this post.

Kirsty

Reply | Quote

You actually need 3 things to be vulnerable.

1.  Vulnerable CPU

2. Vulnerable BIOS/firmware/drivers

3. Open network ports

If your network ports are open you have bigger problems!

Windows 10 Pro 22H2

Reply | Quote

And the drivers will likely be installed by the Intel chipset driver package when you update the drivers after installing a fresh Windows on that bargain basement 4 year old ex business notebook you picked up for a song.

For consumers, it’s mostly the hardware upgrades that need to be watched out for, though anyone with a business oriented notebook needs to check – soon.

1 user thanked author for this post.

JohnW

Reply | Quote

Or tighten up your network! 🙂

Windows 10 Pro 22H2

Reply | Quote

Not as simple as hiding behind your own router if the notebook was bought for mobile use, new tricks to learn 😉

Reply | Quote

If you are mobile and use a public network, common sense dictates using a reliable VPN. 🙂

Windows 10 Pro 22H2

Reply | Quote

It’s only common sense to those who are aware of the potential dangers around it – even then, they still need to find out how to set it, and encryption where needed, up securely.

Reply | Quote

Woohoo! My Lenovo Thinkpad is NOT affected. I was dreading if it was after the Intel BT driver update issues that took a while (confusing Intel Support instructions, etc.), and a number of driver updates and system restores to resolve.

My old first gen i7 box is also safe and the port is also closed.

The Intel i5-4570K build IS vulnerable due to the CPU and ME engine.

Thanks MrBrian for the link in Post #112527. The Intel document I downloaded has already been updated.

Reply | Quote

Based on what I have read on this topic, unless you have Intel® vPro™ Technology enabled on your CPU, you have nothing to fear.

And even if you do, just run the computer behind a router that YOU control, and make sure that you don’t have any open ports on the router facing the internet …

Windows 10 Pro 22H2

Reply | Quote

It’s the BIOS/firmware of the motherboard that’s the problem, if they’re blocked/patched and any Intel ME software uninstalled and drivers removed, it doesn’t matter to the CPU, it’s safe.

Basically, Q-series motherboards are the main problem: business class notebooks for which the designed remote access/update capabilities were a big selling point.

3 users thanked author for this post.

Elly, Bill C., Kirsty

Reply | Quote

From http://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/:

“Updated May 2, 2017 @ 7:40pm: Lenovo has a page up with affected systems and fix ETAs. It includes some ‘consumer’ products as well as ‘servers’.

The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware. If this isn’t scary enough news, even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network. For the moment. From what SemiAccurate gathers, there is literally no Intel box made in the last 9+ years that isn’t at risk. This is somewhere between nightmarish and apocalyptic.

… TLDR; Average computer user – If your system is 10 years old or newer it is likely exploitable, check for patches daily and install all patches immediately. If there is no patch, back up data and replace.”

 
Please check out the full article here

1 user thanked author for this post.

satrow

Reply | Quote

Ouch, it’s looking much worse than I initially suspected.

Reply | Quote

From Embedi Research:
https://www.embedi.com/news/mythbusters-cve-2017-5689

“There has been a lot of disinformation presented as “fact” and a tremendous amount of baseless assumptions being floated around by some media outlets ever since the news was released.”

Intel requested Embedi not disclose technical details at this stage, being a serious threat…

“It is also important to note the difficulties with firmware patching, which is needed to mitigate this vulnerability. Firmware patching takes an extremely long time to test before it is deployed to all of their users.”
…
“Systems affected by this vulnerability are from 2010-2011 (not 2008, as was mentioned in some of the comments), because Intel manageability firmware version 6.0 and above was made not earlier than 2010;…
There is also a chance of attacks performed on Intel systems without Intel AMT support.”

 
The full article can be read here

4 users thanked author for this post.

Elly, Bill C., MrBrian, satrow

Reply | Quote

From twit.tv:

May 2nd 2017
Security Now: Episode 610
Intel’s Mismanagement Engine
Hosted by Steve Gibson, Leo Laporte
Records live every Tuesday at 4:30pm Eastern / 1:30pm Pacific / 20:30 UTC.

 
A May Day Mayday for Intel

This week Steve and Leo discuss the long-expected remote vulnerability in Intel’s super-secret motherboard Management Engine technology, exploitable open ports in Android apps, another IoT blows a suspect’s timeline, newly discovered problems in the Ghostscript interpreter, yet another way for ISPs and others to see where we go, a new bad problem in the Edge browser, Chrome changes its certificate policy, an interesting new “Vigilante Botnet” is growing fast, a proposed solution to smartphone-distracted driving, Ransomware as a service, Net Neutrality heads back to the chopping block (again), an intriguing new service from Cloudflare, and the ongoing Symantec certificate issuance controversy. Then some fun errata, miscellany, and some closing-the-loop feedback from our terrific listeners.

 
We invite you to read our show notes.

Download or subscribe to this show at https://twit.tv/shows/security-now.

 
Access the podcast here
(discussed at abt 13:20 – 37:40)

1 user thanked author for this post.

satrow

Reply | Quote

This non-techie has tried to read all the info on here and in many of the links and is now mightily confused. I have a stand-alone desktop. Apparently my processor is an Intel Core i3 CPU 550 @ 3.20Ghz.

Am I vulnerable? Thanks.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

Offhand, I’d say probably – it’s in the ballpark that Intel have admitted to, 2010 onwards.

As one of the non-Intel researchers heavily involved in in this appears to be under an NDA, we’re not likely to be able to be definitive for some time.

I’m working on my own PC, an Ivybridge/Xeon E3, so 2 generations ahead of yours. I’m currently having to install the Intel Management Engine so that the Intel scanner can verify whether the backdoor mechanism is enabled or not. If I can write up a simple verification routine, I’ll post it – but don’t hold your breath, this is outside my comfort zone.

2 users thanked author for this post.

samak, Kirsty

Reply | Quote

To check for Intel vPro, check this page:
https://communities.intel.com/docs/DOC-5693

It’s not easy to tell if you have the problem, which was even mentioned in the twit.tv Security Now podcast! They commented that it is normal to not mess with a working BIOS, and only to update it when a specific problem is addressed by a particular update – this is rewriting those rules…

2 users thanked author for this post.

satrow, samak

Reply | Quote

I don’t believe my laptop has a vPro chip (the Intel Inside sticker certainly doesn’t refer to it), yet Intel Management Engine is showing (and now stopped and disabled, respectively) in Services and Device Manager…

Reply | Quote

Interview with researcher who found the issue: https://threatpost.com/researcher-baseless-assumptions-exist-about-intel-amt-vulnerability/125390/.

1 user thanked author for this post.

satrow

Reply | Quote

INTEL-SA-00075 Detection Guide was updated on May 3. It now includes a detection program.

I also found this program from 2009: Intel Management Engine Verification Utility.

From Do you have Intel AMT? Then you have a problem today! Intel Active Management Technology INTEL-SA-00075:

‘The more we look at this though, the more it seems that any host with a vulnerable version of the service installed is itself vulnerable (see below).  Many vendors install the affected Intel code as part of their factory image.  So the “does not exist on consumer PCs” statement does not hold water for me.

[…]

Intel’s mitigation guide posts a detailed document on removing the supporting code in Windows by disabling or removing the affected service, either from the command line or in Group Policy.  What it boils down to is you want to stop and disable the LMS Service (Local Management Service), then delete LMS.exe.  On my (not managed by AMT)  laptop, this shows up in the services list as “Intel(R) Management and Security Application Local Management Service”.  LMS.EXE is located in  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS.’

 

1 user thanked author for this post.

satrow

Reply | Quote

The 2009 Verification Listed listed is only suitable for 1st gen/55 series ‘boards, possibly some others (58?), running it on non-supported ‘boards might lead to unexpected issues: not recommended.

My OEM ‘board results from the new detection program only indicates that the software/drivers aren’t installed (I uninstalled the ME drivers via DevMan several days ago), nothing related directly to whether any hardware is vulnerable.

“Risk Assessment
Based on the version of the ME, the System is Not Vulnerable.
If Vulnerable, contact your OEM for support and remediation of this system.
For more information, refer to CVE-2017-5689 at: https://nvd.nist.gov/vuln/detail/CVE-2017-5689 or the Intel security advisory Intel-SA-00075 at: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
INTEL-SA-00075 Discovery Tool GUI Version
Application Version: 1.0.0.98
Scan date: 04/05/2017 13:26:51

Host Computer Information
Name: xxxxxxx
Manufacturer: To Be Filled By O.E.M.
Model: To Be Filled By O.E.M.
Processor Name: Intel(R) Xeon(R) CPU E3-1230 V2 @ 3.30GHz
Windows Version: Microsoft Windows 7 Professional

ME Information
Version: Unknown
SKU: Unknown
State: None Detected
Driver installation found: False
EHBC Enabled: False
LMS service state: NotPresent
microLMS service state: NotPresent”

Does this mean that just uninstalling the software and drivers will close the vulnerable backdoor?

Reply | Quote

From INTEL-SA-00075 Mitigation Guide v1.1:

“Disabling or removing the Local Manageability Service (LMS) to mitigate unprivileged local attacker from gaining system privileges”

1 user thanked author for this post.

satrow

Reply | Quote

Thank you @MrBrian. I just tested one consumer HP laptop with this utility, it says there isn’t a problem but a driver is present. We’ll have to wait for HP to announce something…

Reply | Quote

I was able to test one older HP business class machine, the result is waiting for HP or HPE to announce their plans.

Reply | Quote

Oh!, Now I see that HP have already done their work in putting the Intel vulnerability announcement with the product’s bulletins and notices section. There is a list of affected systems and time table for the release of the patches.

People will have to search for their model of computer to see it, perhaps using the serial number on the bottom label.

Reply | Quote

Have a Dell Optiplex 790 (is a referbed system with Windows 7×64 Pro, was preloaded by the referbers).

Ran the latest Intel Discovery test using the GUI program found in the download from Intel, Intel-SA-00075_1.0.098.zip from here:

https://downloadcenter.intel.com/download/26755

It first reported that this system is ‘vulnerable’.

Risk Assessment
Based on the version of the ME, the System is Vulnerable.
If Vulnerable, contact your OEM for support and remediation of this system.
For more information, refer to CVE-2017-5689 at: https://nvd.nist.gov/vuln/detail/CVE-2017-5689 or the Intel security advisory Intel-SA-00075 at: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
INTEL-SA-00075 Discovery Tool GUI Version
Application Version: 1.0.0.98
Scan date: 5/4/2017 9:01:02 AM
Host Computer Information
Name: AMC7-PC
Manufacturer: Dell Inc.
Model: OptiPlex 790
Processor Name: Intel(R) Core(TM) i5-2500 CPU @ 3.30GHz
Windows Version: Microsoft Windows 7 Professional
ME Information
Version: 7.1.70.1198
SKU: Consumer
State: Not Provisioned
Driver installation found: True
EHBC Enabled: False
LMS service state: NotPresent
microLMS service state: NotPresent

I then disabled the “Intel Management Engine Interface” in Device Manager and re-ran the assessment tool.  This time it reported the system was “Not Vulnerable”:

Risk Assessment
Based on the version of the ME, the System is Not Vulnerable.
If Vulnerable, contact your OEM for support and remediation of this system.
For more information, refer to CVE-2017-5689 at: https://nvd.nist.gov/vuln/detail/CVE-2017-5689 or the Intel security advisory Intel-SA-00075 at: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
INTEL-SA-00075 Discovery Tool GUI Version
Application Version: 1.0.0.98
Scan date: 5/4/2017 9:03:00 AM
Host Computer Information
Name: AMC7-PC
Manufacturer: Dell Inc.
Model: OptiPlex 790
Processor Name: Intel(R) Core(TM) i5-2500 CPU @ 3.30GHz
Windows Version: Microsoft Windows 7 Professional
ME Information
Version: Unknown
SKU: Unknown
State: None Detected
Driver installation found: False
EHBC Enabled: False
LMS service state: NotPresent
microLMS service state: NotPresent

This system has no other Intel Management Engine software installed (no LMS.EXE).
So, it appears that disabling the Intel driver in Device Manager ‘fixes’ the problem, at least on this system.

I might try uninstalling the ‘device’ in Device Manager, but I think that will cause an error in Device Manager (missing driver), so will probably just leave it uninstalled until Intell and or Dell come up with a BIOS fix, although, since this is a rather old system, Dell might not ever come up with a new BIOS for it.

2 users thanked author for this post.

satrow, Kirsty

Reply | Quote

SkipH wrote:

I might try uninstalling the ‘device’ in Device Manager, but I think that will cause an error in Device Manager (missing driver), so will probably just leave it uninstalled until Intell and or Dell come up with a BIOS fix, although, since this is a rather old system, Dell might not ever come up with a new BIOS for it.

On my systems I solved the “missing driver” driver problem (on Windows 10) with the the null driver offered by Windows Update in Windows 7. Here’s a link to that file: 4892_ad61ee225535c6e58fcb15a5bb92f778f1a1c606.cab.

The particulars of the contents of the cabinet file and the info file itself are:

11/09/2011  02:40 AM             7,077 mgmt.cat
11/04/2011  09:48 PM             1,261 MGMT_4.inf

;Null Driver for Intel(R) Management Engine Interface

[Manufacturer]
%ProviderName%=ManagementDriver,NTamd64.6.1,NTx86.6.1

[ManagementDriver.NTamd64.6.1]
%DeviceName%=ManagementDriver64_61_Install,PCI\VEN_8086&DEV_2E17
%DeviceName%=ManagementDriver64_61_Install,PCI\VEN_8086&DEV_3B67
%DeviceName%=ManagementDriver64_61_Install,PCI\VEN_8086&DEV_2E14

[ManagementDriver.NTx86.6.1]
%DeviceName%=ManagementDriver32_61_Install,PCI\VEN_8086&DEV_2E17
%DeviceName%=ManagementDriver32_61_Install,PCI\VEN_8086&DEV_3B67
%DeviceName%=ManagementDriver32_61_Install,PCI\VEN_8086&DEV_2E14

Of course it only installs if your hardware matches what is shown here.

HP Compaq 6000 Pro SFF PC / Windows 10 Pro / 22H2
Intel®Core™2 “Wolfdale” E8400 3.0 GHz / 8.00 GB
HP ProDesk 400 G5 SFF PC / Windows 11 Pro / 23H2
Intel®Core™ “Coffee Lake” i3-8100 3.6 GHz / 16.00 GB

1 user thanked author for this post.

satrow

Reply | Quote

For my Z77 based ‘board on W7x64 I needed to add an extra string to both lists in the Inf file based on the info from the Device Manager > Unknown Device > Properties > Details tab > Hardware IDs to enable the installation of the null driver:

“[ManagementDriver.NTamd64.6.1]
%DeviceName%=ManagementDriver64_61_Install,PCI\VEN_8086&DEV_2E17
%DeviceName%=ManagementDriver64_61_Install,PCI\VEN_8086&DEV_3B67
%DeviceName%=ManagementDriver64_61_Install,PCI\VEN_8086&DEV_2E14
%DeviceName%=ManagementDriver64_61_Install,PCI\VEN_8086&DEV_1E3A

[ManagementDriver.NTx86.6.1]
%DeviceName%=ManagementDriver32_61_Install,PCI\VEN_8086&DEV_2E17
%DeviceName%=ManagementDriver32_61_Install,PCI\VEN_8086&DEV_3B67
%DeviceName%=ManagementDriver32_61_Install,PCI\VEN_8086&DEV_2E14
%DeviceName%=ManagementDriver32_61_Install,PCI\VEN_8086&DEV_1E3A“

Reply | Quote

Thanks to everyone for their links and advice. Apparently I’m not vulnerable according to the GUI version:

Risk Assessment
Based on the version of the ME, the System is Not Vulnerable.
If Vulnerable, contact your OEM for support and remediation of this system.
For more information, refer to CVE-2017-5689 at: https://nvd.nist.gov/vuln/detail/CVE-2017-5689 or the Intel security advisory Intel-SA-00075 at: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
INTEL-SA-00075 Discovery Tool GUI Version
Application Version: 1.0.0.107
Scan date: 5/05/2017 7:01:11 AM

Host Computer Information
Manufacturer: System manufacturer
Model: System Product Name
Processor Name: Intel(R) Core(TM) i3 CPU 550 @ 3.20GHz
Windows Version: Microsoft Windows 7 Home Premium

ME Information
Version: 6.0.2.1194
SKU: Consumer
State: None Detected
Driver installation found: True
EHBC Enabled: False
LMS service state: Running
microLMS service state: NotPresent

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

I ran the test and my system is ‘unknown’. As I built this machine, and installed the software and OS, I looked back at all the driver disks, updates for the MB, BIOS updates and change logs, and software and there is noting like AMT, or vPRO or even ME. I believe it is a pre-ME motherboard.

Risk Assessment
Based on the version of the ME, the System is Unknown.
If Vulnerable, contact your OEM for support and remediation of this system.
For more information, refer to CVE-2017-5689 at: https://nvd.nist.gov/vuln/detail/CVE-2017-5689 or the Intel security advisory Intel-SA-00075 at: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
INTEL-SA-00075 Discovery Tool GUI Version
Application Version: 1.0.0.107
Scan date: 5/4/2017 6:40:48 PM

Host Computer Information
Name: XXXXXXXXXXX
Manufacturer: INTEL_
Model: DX58SO2_
Processor Name: Intel(R) Core(TM) i7 CPU 960 @ 3.20GHz
Windows Version: Microsoft Windows 7 Professional

ME Information
Version: Unknown
SKU: Unknown
State: None Detected
Driver installation found: False
EHBC Enabled: False
LMS service state: NotPresent
microLMS service state: NotPresent

I will run the laptop even though Lenovo says it is NOT vulnerable.

Reply | Quote

I don’t know if this article is accurate or not, but it’s an interesting read: Are consumer PCs safe from the Intel ME/AMT exploit?

‘First off all non-server, including workstation but possibly not Atom based, systems contain the hardware needed for this exploit. Over the past several years during conversations with Intel personnel, the hardware is said to be ‘not there’ on machines that don’t have the correct chipset, usually -Q coded variants. Unofficial conversations have led SemiAccurate to believe that the hardware necessary for the AMT exploit is both there and functional. For the short and mid-term past, there is only one chipset die across all ‘small’ (non-E/EP/EX) CPU platforms.

[…]

SemiAccurate has strong reason to believe that there is an active exploit in the wild at the moment and it is a very sophisticated piece of code.’

1 user thanked author for this post.

Elly

Reply | Quote

The latest comments in this thread and the Link to the SemiAccurate article in MrBrian’s Post #112767, led me to research the MSI Z87-G41 PC Mate motherboard that I used for a i5-4570K build. One of the software installs was an update to the Intel ME in a zipfile. Here is the info for that file.

OS: Win7 32, Win7 64, Win8 64, Win8 32, Win8.1 64, Win8.1 32
Release Date: 2015-02-16
Version: 10.0.31.1000
File Size: 71.46 MB
Note: Microsoft Hotfix installation is required for Intel Management Engine Driver to be installed successfully.

SetupME.exe is 72,137K dated 11/11/2014 for version 10.0.31.1000

The hotfix that was included in the zipfile is KB 2685811 for the Kernel Mode Driver Framework (KMDF) in the MSU format and is 792K unzipped.

From the MS website:
KMDF supports kernel-mode drivers that are written specifically to use it. KMDF driver packages that are built by using Windows Driver Kit for Windows 8 can automatically redistribute and install version 1.11 of the files. During driver package installation, the package checks the computer to determine what version of KMDF is currently installed, and then the package updates the files to 1.11 if they are an older version.
Additional Resources:
https://msdn.microsoft.com/en-us/library/ff544283(v=vs.85).aspx

This install was necessary for the MSI Overclock and GreenPower Utility, Command Center. That utility had the following notes for its installation.
1. .net framework 4.0 is required.
2. Intel mainboards need to install Intel ME driver to enable CPU overclock.

Based upon this, I have my doubts that this is solely a business/server PC issue only. The MSI board is a lower cost gaming MB with the Z87 chipset for overclocking.

Disclaimer: I am nowhere near knowledgeable about this exploit or what Intel is saying, but from what I see in this file(s), if the ME is actually part of the vulnerability, I wonder about the statements regarding “consumer PCs.” This was a custom build that was targeted not at gaming, but for general use with a gaming/overclocking potential and also the ability to upgrade and tweak components to extend its life.

I hope this actually helps, as I do not want to spread FUD or open up rabbit holes. When I get to run the Intel Assessment tool on that machine early next week, I will post whether it was listed as “Vulnerable”.

Reply | Quote

From the same article @MrBrian linked:

 
Are consumer PCs safe from the Intel ME/AMT exploit?
Analysis: Here are SemiAccurate’s thoughts

May 3, 2017 by Charlie Demerjian

 
TLDR; There is a remote control mechanism in hardware that cannot be fully disabled and you cannot get Intel hardware without it. So while this patch may fix the current vulnerability this situation points to the urgent need for hardware diversity.
…
So that brings us to the several million dollar question, are ‘consumer’ PC’s safe or do they have the same AMT vulnerability? If you play by the rules, use the official tools, firmware, and code available from Intel, the answer is yes. So Intel is right in saying they are unaffected. Do you know any hackers who only play by the rules and use official tools, firmware, and code when plying their trade? If so, rest easy and don’t worry about the AMT vulnerabilities any more. If not, you would need to have a complex chain of “if’s” happen for it to be a problem. What are the odds?

 
Read the full article here

3 users thanked author for this post.

Elly, satrow, JohnW

Reply | Quote

Yup, I read that article yesterday. Gave me an uneasy feeling.

I am running a consumer, 3rd generation Ivy Bridge based Intel Core system.  That revelation is rather creepy that they built all that into the silicon die for all CPU’s, and then switched features on and off by locking features with methods that software should respect.  Right!

So I started pricing out an AMD replacement motherboard and CPU last night … 🙂

Windows 10 Pro 22H2

Reply | Quote

AMD has the Platform Security Processor and maybe they should decide to take this uneasy lesson from Intel to review their bits.

Reply | Quote

AMD has a completely different animal than the kludge that Intel has assembled.

Intel is all about sophisticated out-of-band remote management technology to enable corporate IT to reach out to their machines anywhere, and perform a bare metal recovery if necessary, even without a running OS on the machine.  Neither the user or local OS know anything about what the separate management processor on the chipset is doing, either locally, or over the network.

Windows 10 Pro 22H2

Reply | Quote

@ JohnW

The PSP is an ARM core with TrustZone technology, built onto the main CPU die. As such, it has the ability to hide its own program code, scratch RAM, and any data it may have taken and stored from the lesser-privileged x86 system RAM (kernel encryption keys, login data, browsing history, keystrokes, who knows!). To make matters worse, the PSP theoretically has access to the entire system memory space (AMD either will not or cannot deny this, and it would seem to be required to allow the DRM “features” to work as intended), which means that it has at minimum MMIO-based access to the network controllers and any other PCI/PCIe peripherals installed on the system.

In theory any malicious entity with access to the AMD signing key would be able to install persistent malware that could not be eradicated without an external flasher and a known good PSP image. Furthermore, multiple security vulnerabilities have been demonstrated in AMD firmware in the past, and there is every reason to assume one or more zero day vulnerabilities are lurking in the PSP firmware. Given the extreme privilege level (ring -2 or ring -3) of the PSP, said vulnerabilities would have the ability to remotely monitor and control any PSP enabled machine completely outside of the user’s knowledge.

https://libreboot.org/faq.html#amd

Reply | Quote

Hmmm… so the options are cloudy.  Well with Intel, you now have more than a theoretical vulnerability.  At least with AMD there are still only ifs … maybe it’s just a matter of time?

AMD should take Intel’s lesson to heart fast and tighten up their s***!  Maybe it would help out their stock price, which recently went into a slump based on market forecasts.

Maybe an ARM based CPU is the only safe zone now???

Windows 10 Pro 22H2

Reply | Quote

Since I noticed that samak had run a later version number of the Risk Assessment Tool, I downloaded the ‘latest’ Intel Risk Assessment Tool (ver. 1.0.0.107) this afternoon (PDT), ran it, and got a “Not Vulnerable” result on the system that I reported on in post# 112690. This was with the Intel Management Engine driver loaded.

Wonder what changed at Intel from 8:00 am this morning and 4:00 pm this afternoon?  I changed nothing on the system, same version of the Intel ME installed as listed above:

ME Information
Version: 7.1.70.1198

See screen-shots below

1 user thanked author for this post.

MrBrian

Reply | Quote

Disabling the Windows software (as you did in an earlier post) might result in false negatives.

Reply | Quote

False Negative: OK I guess, but in the ‘older’ version of the Assessment Risk Test, the system was marked as “Vulnerable” WITH the ME driver active, then in the ‘newer’ version, it was found to be “Not Vulnerable”, also WITH the ME driver installed and active.

I also totally uninstalled the IME ‘device’ by deleting the driver file when deleting the device in Device Manager (made a System Restore Point first), re-booted, and ran the ‘older’ version of the Risk Assessment Tool, and the test came back as “Not Vulnerable” with the ‘older’ version of the tool. The missing device & driver in Device Manager is shown as a PCI communications controller. Upon doing a System Restore, the IME device and software came back as expected.

I read the article on SemiAccurate.com you linked to, and it could be because Intel has decided that ‘Consumer’ systems (the Dell OptiPlex 790 is reported as a Consumer SKU in the Risk Assessment Tool) are not vulnerable, so that could be why the newer version of the tool now reports that the Dell OptiPlex 790 is in the clear. Maybe sort of ignore the problem and it will go away? Just re-classify the system, and it’s fixed?

Reply | Quote

That’s interesting indeed. Also interesting is that when I ran Intel Management Engine Verification Utility mentioned in post 112660 on my consumer-grade PC, it gave specific versions for “FW Version” (= 6.0.0.1184) and “MEI Driver Version” (= 6.0.0.1179), which perhaps lends some credence to the fusing claims in the article mentioned in post 112767.

Reply | Quote

Time to rip out the Intel based mobo and replace it with a shiny new AMD board I suppose. 🙂

Windows 10 Pro 22H2

Reply | Quote

Yes, I was considering pulling the trigger on a used i5 to extend the working life of my i3 B series system, now I’m wondering who to approach for sponsorship to go Ryzen instead…

1 user thanked author for this post.

JohnW

Reply | Quote

That thought has been in my mind also for a Linux build, but that pre-dated this new Intel issue. Ryzen may be a bit too bleeding edge for a Linux build (at least for me). I am familiar with using Linux, but not being a pioneer at debugging Linux on new hardware.

Reply | Quote

There is a good thread on this on news.ycombinator.com, (HN). It’s where I found out about LMS.exe. (Windows 8.1 Pro). I then searched for LMS.exe in my search engine. Found a site which showed how to uninstall LMS.exe. (Via Control Panel, uninstall programs!). Did that, no problems. What does that do? Blocks remote exploitation. Too cagey to download their “checker”. Does that solve ME? No. Nothing will. Hope this gets some real publicity beyond tech circles, so people are aware of it. In that thread there is also a post from someone who shows how to check on Linux. Probably it’s more than just business machines.

Reply | Quote

(same anonymous) to find the site, type in “what is LMS.exe” in your search engine. Gives a good explanation of what it is and how to uninstall. (Follow that, and don’t delete other Intel folders).

Reply | Quote

Intel’s detection program is now at v1.0.1.6. (see below re detection guide)

Reply | Quote

@Kirsty: the Detection Guide currently is at v1.2, but the detection program is currently at v1.0.1.6.

1 user thanked author for this post.

Kirsty

Reply | Quote

When I checked it abt 2 hrs ago, the detection guide was still showing v1.0 at the top of the page! It’s so hard to keep it all straight, but it’s certainly “1.2” on the download button 🙂
Thanks for your diligent research on this!

Reply | Quote

You’re welcome and thank you also :).

At the bottom left of the link in your post, please note that the name of the detection program is currently Intel-SA-00075_1.0.1.6.

2 users thanked author for this post.

satrow, Kirsty

Reply | Quote

From theregister.co.uk today:

“Thanks go to Embedi, which reverse engineered the code [PDF] and also reported the flaw to Intel back in March. Tenable also poked around in the binaries and came to the same conclusion earlier this week.

Intel has published some more info on the vulnerability here, which includes links to a tool to check if your system is at-risk, support contact details, and a list of mitigations to reduce the threat. That tool is apparently Windows-only; there’s info here for Linux peeps.

There is also this third-party tool, here, for disabling AMT from Windows.

We’re told the programming blunder is present in various, but not all, Intel processor chipsets from today’s Kaby Lake family back to silicon sold in 2010: it mainly affects business PCs, professional workstations and small servers, rather than devices aimed at normal folk. However, Chipzilla admitted today that “consumers and small businesses” may end up using processors with the vulnerable tech present.

If you’re using a vPro-enabled processor and have provisioned AMT versions 6 to 11.6 on your network, you are definitely at risk of the above vulnerability. This also affects Intel’s Standard Manageability (ISM) and Small Business Technology (SBT) features. We recommend you use Intel’s utility to double check whether or not you are being silently menaced by this bug.”

 
Read the full article here

Reply | Quote

The most shocking thing in the article is the headline:

How to remote hijack computers using Intel’s insecure chips: Just use an empty login string

Reply | Quote

Just “WOW!!!” to the empty login string thingy.  Evidently, somebody at Intel failed CompSci 101 …

Windows 10 Pro 22H2

Reply | Quote

“If you have anything connected to the Internet with AMT on, disable it now. Assume the server has already been compromised.”

This is big …

Windows 10 Pro 22H2

Reply | Quote

Detection Guide is now at v1.2.

1 user thanked author for this post.

Kirsty

Reply | Quote

https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability

Reply | Quote

If it is not provisioned, and you delete the folder with LMS.exe (you can infer this from the tenable article), you can’t be remotely exploited, right?

Reply | Quote

From https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/?comments=1&post=33282999:

“Almost. LMS is only required for an unprivileged local user to provision AMT. If AMT is already provisioned, you’re vulnerable even if LMS isn’t installed. “

Reply | Quote

Thanks. From further reading, it takes some time to provision – ie, you would know if your computer was provisioned, eg, you have a Pro version of Windows, and aren’t sure. Also, the local exploitation would be by, say, malware a user had downloaded. (Again, if you delete LMS.exe, it can’t call home). I keep mentioning this because I wonder if some readers are going to panic about all this. (And maybe download “fixes” for it). The fix has to come from the OEMs, and that may take some time. (Why not just block the call home part?). (There is a good post in a Reddit discussion which is very informative, and gave me the info about provisioning and malware exploiting locally). Search Intel AMT in Reddit search, I think it is the second discussion.

Perhaps users who have not provisioned their computers should not panic is what I am saying. This exploit has been found after seven (!) years. A real problem for business, of course.

1 user thanked author for this post.

MrBrian

Reply | Quote

Perhaps the post you’re referring to is https://www.reddit.com/r/netsec/comments/69fwrw/rediscovering_the_intel_amt_vulnerability/dh6qf1l/.

Reply | Quote

Yes, that’s the one! I thought it was especially good and well reasoned.

Reply | Quote

The hijacking flaw that lurked in Intel chips is worse than anyone thought.

From the discoverer of this vulnerability: What You Need To Know About The Intel AMT Vulnerability.

1 user thanked author for this post.

satrow

Reply | Quote

I’m really surprised that Intel let the exploit details become public information so early before the first patches were released, some of us will have to wait up to a month.

Reply | Quote

Important Security Information about Intel Manageability Firmware
May 5, 2017

https://newsroom.intel.com/news/important-security-information-intel-manageability-firmware/

Update: Details of how to exploit this vulnerability are now public. It is important to take steps to secure vulnerable systems as soon as possible. See our mitigation guide or customer service details below.

On May 1, Intel published a security advisory regarding a firmware vulnerability in certain systems that utilize Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM) or Intel® Small Business Technology (SBT). The vulnerability could enable a network attacker to remotely gain access to business PCs or devices that use these technologies.

The security and confidence of the people and businesses who use Intel products and technologies are paramount to us, and we are doing everything we can to address the situation as quickly as possible.

We have implemented and validated a firmware update to address the problem and we are collaborating with computer-makers to facilitate a rapid and smooth integration with their software. We expect computer-makers to make updates available beginning the week of May 8 and continuing thereafter.

 
Read the full News Byte here

2 users thanked author for this post.

satrow, MrBrian

Reply | Quote

Gulp. New analysis by Dan Goodin at Ars Technica.

The hijacking flaw that lurked in Intel chips is worse than anyone thought
Patch for severe authentication bypass bug won’t be available until next week.

Reply | Quote

So my next question …

[tin foil hat on] Is the Intel patch actually a new NSA backdoor? [/tin foil hat off]

Windows 10 Pro 22H2

Reply | Quote

Dell Client Statement on Intel AMT Advisory (INTEL-SA-00075) (posted by Dell on May 5)

Note: please also see updated first post in this topic.

Reply | Quote

From Intel x86s hide another CPU that can take over your machine (you can’t audit it):

“Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they’ll expose all affected systems to nearly unkillable, undetectable rootkit attacks. I’ve made it my mission to open up this system and make free, open replacements, before it’s too late.”

1 user thanked author for this post.

JohnW

Reply | Quote

That pretty much sums up everything bad I’ve ever read about this Intel mess …

Can they really patch this, or will it require a forklift upgrade?

Windows 10 Pro 22H2

Reply | Quote

The thing that I find most surprising about that article is that it was published last year in June 2016!  I guess that not enough folks were nervous about it, until the latest exploit revelations!

When I built my recent consumer grade Intel system I was curious why I had to install the Intel Management Engine Interface drivers.  I poked around the Intel forums, but could find very little info on the topic.  Top secret, I suppose …

Also scratched my head on why there was a network stack option in my BIOS for PXE support.  I disabled it!  Things get curiouser and curiouser.  Intel states that: “Preboot Execution Environment (PXE) defines a method for booting computers using a network interface, independent of local storage devices or installed operating systems (OSs). On platforms with UEFI firmware, PXE is supported by a network stack in the client firmware. The network’s DHCP provides a path to a boot server and network bootstrap program (NBP), downloads it into the computer’s local memory using TFTP, verifies the image, and executes the NBP.”  Hmmmm…

The best comment on the article you linked to:

“Speaking from my limited experience with Intel AMT(we don’t use it at work; but some of the hardware we have is capable of it so we’ve tested it), one can see why it would be an attractive IT management feature; but one can also see why it would make people nervous.

The capabilities depend both on firmware and on hardware(minor version bumps are usually doable with firmware; major version bumps occur when a new chipset is rolled out, wikipedia has a roundup of the versions.

At least with reasonably new AMT, the capabilities are quite sophisticated. The ARC(or, amusingly enough, SPARC in newer versions; who would have thought that Intel is probably one of the world’s leading SPARC vendors, by volume?) core remains active at all times when power is available(so all the time for desktops, most of the time for laptops) and has its own IP stack, so you can talk to it even if the main computer is powered off, has no OS, or even has all the RAM pulled. The AMT device can also(sometimes this requires cooperation with the guest OS, exactly when it does and doesn’t gets really tedious really quickly) establish VPN links back to HQ even if the device is on an external network.

One particularly impressive(if, equally, disconcerting) capability is the ability to act as an IP KVM: so long as the host computer is using intel graphics, you can connect through AMT and view the screen(including POST and boot stuff, prior to the OS loading) and use a virtual keyboard and mouse for remote control, as well as mounting ISOs over the network. It’s based on a slightly oddball implementation of VNC; but it’s a version of VNC that is baked into the hardware and works regardless of the state of the host OS.

The capabilities are pretty cute; but, as always, ‘pretty useful for the IT guys’ and ‘zOMG rootkit from hell!’ is less a technical difference than a difference in ownership and motive.”

Windows 10 Pro 22H2

Reply | Quote

Thanks. I’ve also noticed a certain name brand consumer Intel platform laptop model’s battery would discharge too quickly in the span of one week. Myself and the owner thought the included battery was defective, but that conclusion did not make sense as the battery is able to power the computer for several hours.

After a very long while, I thought maybe it could have been some component causing a parasitic discharge of the battery. That bit of information about the ME processor staying on… I believe this has solved the mystery of that quick discharge, perhaps this version/model of the ME is defective.

I wonder if other people have had this same mysterious problem?

Reply | Quote

Slide presentation on GitHub regarding how to disable AMT, vPro, ME.

How to become the sole owner of your PC

https://github.com/ptresearch/me-disablement/blob/master/How%20to%20become%20the%20sole%20owner%20of%20your%20PC.pdf

 

Windows 10 Pro 22H2

2 users thanked author for this post.

Elly, MrBrian

Reply | Quote

Intel Firmware Vulnerability
https://www.us-cert.gov/ncas/current-activity/2017/05/07/Intel-Firmware-Vulnerability

Original release date: May 07, 2017

 
Intel has released recommendations to address a vulnerability in the firmware of the following Intel products: Active Management Technology, Standard Manageability, and Small Business Technology firmware versions 6.x, 7.x, 8.x, 9.x, 10.x, 11.0, 11.5, and 11.6. This vulnerability does not affect Intel-based consumer PCs. An attacker could exploit this vulnerability to take control of an affected system.

Users and administrators are encouraged to review Intel Security Advisory INTEL-SA-00075 and updated mitigations and tools:

Mitigation Guide v1.2 (May 5, 2017)
Discovery Tool v1.0.1.6 (May 5, 2017)
Unprovisioning Tool v1.0 (May 6, 2017)

US-CERT recommends users and administrators review Vulnerability Note VU#491375 for additional information and refer to their original equipment manufacturer (OEM) for updated firmware.

Reply | Quote

Ran the discovery tool offered by intel to find, both our windows PC’s are not vulnerable 🙂

Unfortunately, Linux seems a little bit more troublesome to diagnose, guess I’ll just have to wait it out.

I would have thought that intel would release a bootable USB iso with the intel discovery tool which would help everyone, but, hey! That would make too much sense..

Windows - commercial by definition and now function...

Reply | Quote

Note this new post from Martin Brinkmann:

https://www.ghacks.net/2017/05/08/detect-and-mitigate-intel-amt-vulnerability/

Intel-SA-00075 version 1.0.16

Reply | Quote

I was just wondering if the out-of-band networking used by the ME is dependent on the Ethernet controller on the motherboard.

If you disable the integrated Ethernet network adapter in the BIOS, and just use a Wi-Fi USB dongle with a Windows driver, is the Intel management still able to communicate outside the box?

This Wikipedia post on Intel AMT describes the hardware setup, and it got me thinking …

Edit to remove incorrect link

Reply | Quote

@ anonymous#113347

It is possible for a hacker to access Intel AMT via the victims’ Wifi connection, …
https://software.intel.com/en-us/articles/technical-considerations-for-intel-amt-in-a-wireless-environment

Reply | Quote

The only way that the Intel AMT could access the network is by having access to the network stack in the integrated NIC.

If one is using a laptop with an on-board Wi-Fi NIC, then it could be used in essentially the same manner as the on-board Ethernet NIC, just not in a low power state.

So it would seem that if one was using a 3rd party USB Wi-Fi adapter, the motherboard chipset would not have the network stack info required to access the network out-of-band, provided LMS is disabled.  In this scenario, only the OS would be running the drivers for the active wireless NIC.

Windows 10 Pro 22H2

Reply | Quote

I’ve seen comments that connects using a second NIC might stymie this bug providing the LMS service is disabled, if you have the resources to attempt that mitigation method why not try.

Reply | Quote

Even though my system is not vulnerable according to Intel’s tool, would it be prudent to disable the LMS service (Intel(R) Management and Security Application Local Management Service) which currently starts automatically on my machine? Thanks.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

Yes.

1 user thanked author for this post.

samak

Reply | Quote

I have a couple of consumer Asus motherboards that have bundled the LMS service with their Intel Management Engine drivers package.

I disabled LMS on both of them.  I even uninstalled the ME drivers on one, just for the heck of it, and nothing bad happened.  Although I did have to disable the PCI device in Device Manager to get rid of the exclamation point for that device now missing a driver.  🙂

I also have a retail laptop with Intel ME drivers, but the OEM apparently did not include LMS.  Good for them!

I really still have to wonder what ME is doing on retail versions anyway???

Windows 10 Pro 22H2

1 user thanked author for this post.

samak

Reply | Quote

After reading all these posted links… The ME is claimed to perform some hardware setup. I loosely reckon it may be used as a Digital Right Management system.

https://www-ssl.intel.com/content/www/us/en/standards/intel-and-dctp.html

Reply | Quote

This Intel page explains AMT and ME:
https://software.intel.com/en-us/blogs/2011/12/14/intelr-amt-and-the-intelr-me/

Reply | Quote

Right!  But the thing that Intel has never explained well is what the heck ME is doing on consumer grade retail hardware.  Stuff that is never intended to be used with AMT or vPro, etc.

As a home PC builder, having been supplied a driver installer for ME from the OEM, I have exhausted the Google search for this subject and the best that most tech forums can come up with amounts to “it does stuff”.  And on the Intel forums, I got the distinct impression that they did not wish to discuss it.

Well I have removed it from my systems, and guess what?  They still work exactly as before!  All of my hardware still works, temperature and fan sensors still function, etc.  Startup and shutdown is fine.  No changes in performance.  Nothing really new in Event Viewer, except for the log showing where I disabled the Intel MEI.  🙂

Windows 10 Pro 22H2

3 users thanked author for this post.

Elly, Bill C., Kirsty

Reply | Quote

I have one question about all of this. I was under the impression before this incident that the ME was resident on the motherboard like a ROM chip or in BIOS. I do remember that upgrading the Intel ME on a build I did was done together with a BIOS update.

With all that has been published I am now taking it to be on the HDD. I also remember reading that it is in a hidden partition that is loaded before boot.

My question is if the original HDD (Win7-64Pro) in a business laptop has been removed and replaced with a clean SSD with a clean Linux installation is the ME or AMT still an issue? Or does it flip switches in the CPU?

In a nutshell, where it the AMT or ME?

Reply | Quote

Hey Bill, the ME is on the motherboard. At least for the Ivy Bridge gen CPU (released 2012) socket LGA 1155 I am running, with a Cougar Point chipset (released 2011) on the motherboard.

The Intel Management Engine Interface is presented to Windows as a PCI device.  As soon as I uninstalled the Intel ME Interface software, I got a bang! symbol in device manager that a PCI device was missing drivers.  Disabled it, and no more errors!  🙂

But everything is still running A-OK!!!

Windows 10 Pro 22H2

2 users thanked author for this post.

Elly, Bill C.

Reply | Quote

Thanks! That is what I expected. I guess I could take out the Ubuntu Linux 16.04 LTS SSD and re-install the original Win7-64Pro HDD, run the Intel took to check, and if vulnerable disable it and then go back to Linux. It is the wife’s Lenovo Thinkpad T420 with an i7-2620M from the 2011-2012 era.

I have to check the Lenovo site about whether they say it is vulnerable, but my Lenovo E440 Thinkpad according to Lenovo is not vulnerable, but the Intel tool says it IS vulnerable and does have one of the vulnerable ME engines. Go figure.

Actually, with how that Laptop PC is used (desktop replacement for email and browsing only and never on the road, I am not too concerned.

Reply | Quote

Hey Bill, sorry but that is not how it works.  You cannot permanently disable a chipset feature from within an OS, such as Windows or Linux..  You have to do it with a BIOS option, or flash a newer BIOS in the motherboard.

In my case, Windows detects the motherboard ME feature when it boots up and looks for a driver.  If one is not installed, it raises an error flag in Device Manager.  Disabling the ME from within Windows, only tells Windows to disregard that particular hardware device, and to stop trying to load a driver.

If you load a different OS on the same PC, such as Linux, you will need to instruct that OS on what to do with any motherboard chipset features.  When I installed Linux on one of my Asus boards, I do not recall having loaded any OEM Intel drivers except for the integrated HD graphics.  So maybe ME and AMT is not a big issue on Linux, but I am afraid that I do not know any specific details in that regard.

Windows 10 Pro 22H2

Reply | Quote

Thank you for that link to that educational diagram.

(Okay, that explains what happened to a computer’s on-board network interface card when an enterprising human solved their ME problem*.)

I was thinking that the management engine also handled digital rights management because the Intel(R) Content Protection HECI Service.

I hope everybody’s quest update their affected system’s firmware works out well for them.

(*Is it okay to link to these kinds of hacking posts?)

Reply | Quote

@ anonymous#113488

Without DTCP, Hollywood studios and other content owners would have been reluctant to ever allow video on demand or pay-per-view digital movies, much less permit a DVR to receive digital television content. Their fear: piracy.

No, Intel ME/AMT is not usually used for DRM.

Reply | Quote

From Intel AMT on wireless networks:

“AMT actually supports being accessed over wireless networks. Enabling this is a separate option – if you simply provision AMT it won’t be accessible over wireless by default, you need to perform additional configuration (although this is as simple as logging into the web UI and turning on the option). Once enabled, there are two cases:”

1 user thanked author for this post.

Bill C.

Reply | Quote

Fernando has an excellent guide to the Intel MEI; there is background info, info on this vulnerability, and a firmware repository:

http://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html

1 user thanked author for this post.

Bill C.

Reply | Quote

I have updated the top post in this topic, to include new manufacturer links re BIOS updates etc.

 
From Intel:
INTEL-SA-00075 Detection Guide
Version: 1.0.1 (Latest) Date: 5/10/2017

Discovery Tool v.1.0.1.39

Detection Guide v.1.3

1 user thanked author for this post.

MrBrian

Reply | Quote

Intel have released another security bulletin about the Intel ME (and other) firmware: see details here

1 user thanked author for this post.

walker

Reply | Quote

Hi, Kirsty:  I’m just now finding this “topic”.  Unfortunately I “know nothing” about it.   I’ve had an “update from Intel in my “updates list”, however don’t know what to do with it.  It’s frustrating to be “that” dense I know.   I’ll just keep “waiting”  until I find out what it’s all about.    You do a great job, and want to tell you how much you are appreciated by all of our members!    🙂

Reply | Quote

Thanks @Walker!

If you are offered an Intel uupdate from Windows Update, that is usually an indication to go to the source, and download what Intel recommend (same for other drivers, such as NVidia etc). I’m sure you will have seen, numerous times here on AskWoody, that driver-type updates from Windows Update are best avoided, as often being problematic.

Your first task would be to check if you are vulnerable, both for this vulnerability and the new one this month (links to both are on this page). If either indicate you are vulnerable, follow the manufacturer links to get your appropriate update (Intel do not supply them to users).

1 user thanked author for this post.

walker

Reply | Quote

Hi, Kirsty!  I’ve had this update for quite a while, and I do recall seeing numerous warnings about installing them, so I’ve basically just let it “sit” because at least there it’s innocuous (I “think”).  With the messes we have out there now, I don’t want to invite anymore problems, so I will try to continue to monitor it.

Thank you for all of the good information, references, and advice about this one.   You do a great job, and we all sincerely appreciate your outstanding help.   🙂

Reply | Quote