Description:
Intel has issued a security advisory to address a privilege escalation vulnerability in Intel manageability products including Intel Active Management Technology (AMT), Intel Small Business Technology (SBT), and Intel Standard Manageability (ISM). A potential attacker can gain system privileges to control the manageability features provided by these products. A local attacker could exploit this vulnerability in AMT, SBT and ISM, while a remote attacker could exploit AMT and ISM.
Affected Systems:
Intel-based computers running the Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel AMT, SBT, and ISM.
Impact:
An unprivileged local or network attacker could gain system privileges to Intel manageability features of a vulnerable system.
Check if a system is vulnerable:
- Identify the CPU model number, e.g. i5-6200 (by right-clicking the "Computer" icon and select "Properties" on Windows computers, from the inventory record, or BIOS settings, etc.)
- Go to the following Intel website link to look up the CPU specification by entering the CPU model number in the search field
http://ark.intel.com/Search/Advanced
- Under the "Advanced Technologies" section, the item "Intel® vPro™ Technology" indicates whether the CPU supports vPro features. If "No", the system is not affected and no further action is required. If "Yes", the CPU is affected and proceed to step 4 to check whether the manageability firmware version is vulnerable.
- Download the INTEL-SA-00075 Discovery Tool from the following url:
https://downloadcenter.intel.com/download/26755
- Extract "Intel-SA-00075-console.exe" from the downloaded zip file and execute the program using the following command with administrative rights:
Intel-SA-00075-console.exe –n
System administrators can use the above command statement as basis for scripts or tasks within management consoles for scale deployment of the vulnerability checking.
- The program will output the system information including the following "Risk Assessment" section:
*** Risk Assessment ***
Based on the version of the ME, the System is <Vulnerable / Not Vulnerable / Not Vulnerable (verify configuration)>.
If the system is indicated "Not Vulnerable", no further action is required; otherwise, the system is vulnerable and proceed to the follow our recommendation.
For details about the Discovery Tool, please refer to the "INTEL-SA-00075 Detection Guide" available at the following url:
https://downloadcenter.intel.com/download/26755
Recommendation:
- Check with the system OEM for the updated firmware and update the firmware to a non-vulnerable version; or
- Follow the "INTEL-SA-00075 Mitigation Guide"
available at the following url for the mitigation measures:https://downloadcenter.intel.com/download/26754
In essence, the Mitigation Guide advises two major steps:
- Unprovisioning Intel manageability clients to mitigate unprivileged network attacker from gaining system privileges. This can be done by running the following command with Intel Setup and Configuration Software:
ACUConfig.exe UnConfigure (only works in client control mode (CCM))
- Disabling or removing the Local Manageability Service (LMS) to mitigate unprivileged local attacker from gaining system privileges. This could be done by running the following Windows sc (Service Controller) commands:
sc config LMS start= disabled
sc delete LMS
Please note that capabilities and features provided by AMT, ISM, and SBT will be made unavailable when these mitigations are implemented.
More Information:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
https://www.hkcert.org/my_url/zh/alert/17050501
https://www.us-cert.gov/ncas/current-activity/2017/05/01/Intel-Firmware-Vulnerability
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5689