Using BigFix to Detect and Mitigate the Intel AMT vulnerability (CVE-2017-5689)

Posted by Mike Consuegra on May 11, 2017 1:14:03 PM

Recently a huge vulnerability was discovered in many Intel chips by an outfit in California called Embedi. Since this security hole grants such wide-ranging permissions to unprivileged users and is present in so many of Intel's chips, it has been discussed at length here and here and here and here among others places. For this reason, I won't go into the specifics other than to say that it allows an attacker with little to no privileges to take over affected computers. 

Many Intel chips have firmware with features called Active Management Technology (AMT), Intel Standard Manageability (ISM), or Small Business Technology (SBT).  These have the ability to grant an administrator full access to the computer so that patches can be applied, firmware can be updated, and other administrative tasks can be performed. The problem is that not only can legitimate admins use it, but due to its terrible implementation, bad actors can too. Since AMT has direct access to a computer's NIC, it can bypass the security safeguards of the operating system. Therein lies the problem. It's essentially an unlocked 'backdoor'.

Intel has created a utility that can detect whether a computer is vulnerable.  In order to facilitate the distribution and execution of this tool, I've created BigFix content that can download, run, and display the results of this tool right on the console. I also created a basic mitigation task using the Windows Firewall.

Detection:

The first step is to detect whether or not your computers are at risk. I created a task called "Scan for Intel AMT Vulnerability_V1.0.1.6" which will download the tool directly from Intel, run it in console mode, and produce the results xml file. The task can be downloaded here:

Consuegra Blog image 1 of 4.png

Along with this task there is also an analysis called "Intel AMT System Status" that parses the results file and shows the operator the "System Risk" or "System Exposure" of each computer. Those properties can be used to create reports, quarantine devices, or otherwise keep an eye on a specific number of computers that are at risk. That Analysis can be downloaded here:

Consuegra Blog image 2 of 4.png

Once you've established which systems are at risk, you must act. Unfortunately, the only way to truly close this hole is at the firmware level. While Intel has released a patch for the vulnerability this code must be integrated and released by each machine manufacturer as a firmware update and this will take time. So what can you do in the meantime?

Intel says that the AMT service listens for commands on certain ports so the simplest way to put a temporary patch on this issue is to block those ports.  While you can block these at the enterprise firewall if the attacker is already in your network he won't be crossing any firewalls to get to your devices. So the next logical step is to block the ports locally on each of the vulnerable devices using the device's own firewall. Below is an analysis that scans the firewall rules in the Windows Registry and determines if there are any rules specifically blocking incoming connections on these ports:

Consuegra Blog image 3 of 4.png

Mitigation:

If you do find open ports and want to do something about it, I've also created a Task that will create a rule blocking incoming connections on any Windows devices that are running at least Windows 7 (O/S version > 6.1):

Consuegra Blog image 4 of 4.png

Note that if enabled and configured, AMT works even if the computer is off, so this may only be effective if the computer is turned on. However, until system vendors release a firmware update, your alternatives are to unplug the device from the internet in addition to blocking ports at firewalls.

As a last resort you can also disable the following service:

"Intel Management and Security Application Local Management Service"

Topics: Cyber Security