Intel AMT Vulnerability
Last updated on: September 6, 2020
Last week, Intel published a security advisory (INTEL-SA-00075) regarding a new vulnerability in Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT). The firmware versions impacted are 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6. In addition to the vulnerability disclosure, details of how to exploit it remotely has been released publicly.
Exploitation of this vulnerability could allow an attacker to gain complete control of an affected system. Updated firmwares will be released by the system OEM, but Intel has provided mitigation steps to prevent remote exploitation of the vulnerability. The Qualys Cloud Platform can help you detect any vulnerable systems, allowing you to quickly target them for mitigation.
Detecting the Vulnerability
We released QID 43506 on May 2 to detect this vulnerability using Qualys Vulnerability Management. This detection supports both unauthenticated and authenticated scans, as well as the Qualys Cloud Agent. Qualys ThreatPROTECT also provides one-click access to a continuously updated list of impacted assets through the Live Feed.
Mitigations
Intel has released a mitigation guide that covers several mitigation options, including de-provisioning and removing the affected LMS service.
Detecting Mitigations using Qualys AssetView and the Qualys Cloud Agent
The Qualys Cloud Agent collects a list of running services, which can be queried using Qualys AssetView. Using the following query, you can detect systems that have both the vulnerable AMT versions and also have not had the mitigation steps applied:
vulnerabilities.vulnerability.qid:43506 and services:(name:LMS and status:running)
Get Started Now
To start detecting and protecting against critical vulnerabilities, get a Qualys Suite trial. All features described in this article are available in the trial.
Jimmy,
Could you describe how this vulnerability is a threat in the local scenario? I understand the threat at the network level, but I have read that even if the service is not provisioned, this vulnerability remains a threat at the local level. I am not seeing how that is the case. If the service is not provisioned, then there is no threat, and in order to provision the service, a user needs administrative privileges (or needs to have physical access). If a user has admin privileges already then exploiting this buys them nothing (and physical access implies root privileges anyways, ala usb attacks among others). Am I missing something?
Joseph.