[conspire] (forw) [svlug] Intel Active Management Technology (AMT): not necessarily your friend

Rick Moen rick at linuxmafia.com
Wed May 3 23:08:47 PDT 2017 

LWN.net covers the below-cited matter in its usual crystal-clear way.
Normally, that would be subscriber-only for another week (because it's
an article in this week's Linux Weekly News), but as a subscriber I 
am allowed to offer y'all a special URL to read this one article:
https://lwn.net/SubscriberLink/721586/7a5e4348f30c07ee/

That having been said, if you can afford to subscribe to LWN and are
interested in Linux, you should subscribe.  It's a uniquely valuable 
periodical.


----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Wed, 3 May 2017 17:20:42 -0700
From: Rick Moen <rick at linuxmafia.com>
To: svlug at lists.svlug.org
Subject: [svlug] Intel Active Management Technology (AMT): not necessarily
	your friend
X-Spam-Status: No, score=-4.9 required=4.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD autolearn=ham version=3.3.1

Pitfall inside.

A decade-plus ago, Intel started building embedded control structures
deep into its chipsets.  One, present in many but not all Intel x86 
motherboard chipset since 2008 starting with 'Nehalem', is the Active
Management Technology (AMT) out-of-band network service, intended to
permit out-of-band system management on one out of network ports
16992i-16995[1] (over ethernet)[2], to remotely reboot, repair, and
tweak hosts, and has total control of the host from ring -2, below the
level of the normal hardware (ring 0).  It's supposed to require an
access password, and then provide remote serial console or VNC

Gosh, what could possibly go wrong?  Enter CVE-2017-5689).  
Um, yes, they messed that up, not counting the entire thing being a bad
idea, anyway.  (Details are not yet fully released, and it's best 
to check links such as those I give below, in case I've gotten something
wrong or there are new developments.)

AMT is built atop a slightly earlier feature called Management Engine
('ME', introduced with the Core 2 in 2006), and on current systems is
said to run on SPARC core circuitry (yes, on your Intel-based
motherboard).

With some Intel circuitry, there are ways that have been discovered to
wipe out the ME, which seems a fabulous idea to me.


On any local system with AMT drivers installed (a root operation), 
unprivileged local users can also connect to the AMT with full
administrative privilege, in addition to the remote risk.

Some Intel systems ship with AMT, others don't.  Most that ship with it
don't have it turned on by default.  But, if yours does, it has a big
security problem.  (AMT can still be exploited locally even if it's
defaulted to shut off, as a local user can switch it on.)

https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/
https://www.embedi.com/news/mythbusters-cve-2017-5689
https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/
http://mjg59.dreamwidth.org/48429.html
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075
https://downloadmirror.intel.com/26754/eng/INTEL-SA-00075%20Mitigation%20Guide-Rev%201.1.pdf

Bottom link is the mitigation guide, telling you how to use MS-Windows's
built in command line program 'SC' to deal with the problem.  As usual,
they assume everyone runs MS-Windows, but an open-source tool for *ix 
that seems to offer the same functionality is here:
https://software.intel.com/en-us/articles/download-the-latest-intel-amt-open-source-drivers/

First link in the above set (the one to read even if you read nothing else)
is particularly damning, as it says researcher Charlie Demerjian has
been trying to take the security problem seriously for years.  Demerjian
claims you should disable or install Local Manageability Service (LMS)
to block access to AMT, and that related features ISM (Intel System
Management) and SBT (Small Business Technology) are also problems.  (See
link for more.)


[1] Intel's mitigation guide also says ports 623 and 664.
[2] Commenters on Matthew Garrett's blog (see link) claim AMT is also
reachable over Intel wifi interfaces.



_______________________________________________
svlug mailing list
svlug at lists.svlug.org
http://lists.svlug.org/lists/listinfo/svlug

----- End forwarded message -----

More information about the conspire mailing list