AMT, or Active Management Technology, is an Intel technology, that combines hardware and firmware used for maintaining and updating systems. Last week, Intel issued a security advisory for their server-based products that said AMT could be exploited and give unauthorised parties access to a number of processor features. Analysis at SSH Communications Security says this is a very serious issue and that owners of affected systems should disable AMT. Consumer systems are not affected.
The exploit, officially noted as CVE-2017-5689, is a big deal. Often, we hear about vulnerabilities that require a very specific set of circumstances in order to be used by threat actors. Here’s what SSH says:
The exploit is trivial, max five lines of Python, could be doable in one-line shell command. It gives full control of affected machines, including the ability to read and modify everything.
Intel has made it clear what systems they believe are affected:
The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability. Versions before 6 or after 11.6 are not impacted.
Given that Intel’s nomenclature can be a tad confusing, what I understand is if your machine came with an Intel vPro sticker and Windows was pre-installed then you’re likely to be affected as AMT is enabled by default.
There’s some mixed signals coming from security analysts with Hardware.info saying systems running processors ranging from 2008’s Nehalem series through to today’s Kaby Lake impacted – including consumer systems. But others are saying consumer systems aren’t hit.
Intel’s advisory provides links to firmware updates for affected HP. Lenovo, Fujitsu and Dell systems.
The Hacker News provides some further information as well as suggestions on a GutHub script to disable AMT as well as other mitigations strategies.