Intel AMT, ISM and SBT Vulnerability – May 3, 2017 8:30 PT

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT). This vulnerability does not affect Intel-based consumer PCs or Mac/Apple computers.

Mitigating Factors

If AMT or ISM is provisioned, then the system is vulnerable to network attacks against this vulnerability; if neither AMT or ISM has been provisioned then only local logged-in users are potentially able to exploit the vulnerability to escalate privileges.

 

Encryption & TPM

If BitLocker encryption is in use then Microsoft recommends it be suspended prior to upgrading the firmware.

 

Guidance for non-technical users

Contact your Dept IT Support staff for assistance.

 

Ports used for network communications

TCP 623, 664, 16992, 16993, 16994, and 16995


Severity

Critical


CVE Number

CVE-2017-5689


Impacted Platforms

The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability.  Versions before 6 or after 11.6 are not impacted.

 

Recommended actions

Step 1: Determine if you have an Intel AMT, Intel SBA, or Intel ISM capable system: https://communities.intel.com/docs/DOC-5693.  If you determine that you do not have an Intel AMT, Intel SBA, or Intel ISM capable system then no further action is required.

 

Step 2: Utilize the Detection Guide to assess if your system has the impacted firmware: https://downloadcenter.intel.com/download/26755. If you do have a version in the “Resolved Firmware” column no further action is required to secure your system from this vulnerability.

 

Step 3: Intel highly recommends checking with your system OEM for updated firmware.  Firmware versions that resolve the issue have a four digit build number that starts with a “3” (X.X.XX.3XXX) Ex: 8.1.71.3608.

 

Step 4: If a firmware update is not available from your OEM, mitigations for provided in this document: https://downloadcenter.intel.com/download/26754

 

If you have any further questions, contact security@ubc.ca

 

More information