UPDATE 5/18/2017

The University Information Security Office (UISO) has asked University Information Technology Services (UITS) Networks to block AMT ports at the network border. See the Local observations section, below, for a list of those ports and how to request a host to be whitelisted.

UPDATE 5/11/2017

The University Information Security Office (UISO) emphasizes this excerpt from one of our sources: "The Intel Management Engine (ME) is a separate processor in the chipset on the motherboard. It runs a TCP/IP stack and web server distinct from the operating system on the computer. The Management Engine can be active even when the server is powered off and while an operating system is running on the server. It can piggyback on the same network interfaces used by the host operating systems, or it can be used from a dedicated interface on the motherboard." Powering off an affected system does not protect you from the vulnerability as Intel AMT can utilize wired and wireless network connections to wake the system. UISO recommends using the Intel Unprovisioning tool which will perform the necessary steps to unprovision AMT, which is the first step in mitigating the vulnerability described in the Intel-SA-00075 security advisory. After running the tool, you will need to follow the additional steps in the Intel-SA-00075 Mitigation Guide to complete the mitigation. Until firmware updates are released and installed, taking the additional step of having a network-based firewall that blocks all connections to TCP ports 16992, 16993, 16994, and 16995 for mission critical hosts is recommended. If the mitigation guide cannot be followed or the systems cannot be placed behind a network firewall blocking the ports previously mentioned, then the system should be powered off with all power sources removed (power cord, battery, UPS, etc) and all wired network connections removed. Please note that Intel AMT may be present in business class tablets, laptops and desktops. Operating system based firewalls will not provide protection against this vulnerability.

Background

On May 1, 2017, a critical vulnerability in the Intel Active Management Technology (AMT) was published. The vulnerability affects a large number of firmware for Intel AMT, Intel Standard Manageability and Intel Small Business Technologies. 

Impact

Systems with affected versions of the Intel manageability firmware could allow an attacker to have the same control as administrators with local access. An attacker could use the vulnerability to change the code that boots up computers, load and execute programs, remotely power on computers that were off, and access the mouse, keyboard and monitor. Further, unauthorized access is not usually logged by the affected system because AMT has direct access to the system's network hardware. When AMT is enabled, all network packets go through the Intel Management Engine and then to the AMT. This means that network packets can bypass the operating system. Additionally, local firewall rules will not help because they are located within the operating system. Please see UISO Recommendations below for further steps that must be taken. 

Platforms affected

• Intel Active Management Technology, Intel Small Business Technology and Intel Standard Manageability
  • Systems with Intel manageability firmware versions 6.x
  • Systems with Intel manageability firmware versions 7.x
  • Systems with Intel manageability firmware versions 8.x
  • Systems with Intel manageability firmware versions 9.x
  • Systems with Intel manageability firmware versions 10.x
  • Systems with Intel manageability firmware versions 11.0
  • Systems with Intel manageability firmware versions 11.5
  • Systems with Intel manageability firmware versions 11.6

NOTE: Systems with versions before 6 or after 11.6 are not impacted 

Local observations

Using network scanning tools, the University Information Security Office (UISO) has scanned IU networks for this vulnerability and has identified several potentially vulnerable systems. We have asked University Information Technology Services (UITS) Networks to block the following AMT ports at the network border:

• TCP 623
• TCP 664
• TCP SYN 16992
• TCP SYN 16993
• TCP SYN 16994
• TCP SYN 16995

To request a host whitelisted from the filter, contact the University Information Security Office (it-incident@iu.edu) with the host IP address, host owner, and details regarding the exception request.

UISO recommendations

• UISO recommends that ALL system owners use this site to determine whether their systems are affected and to take steps to protect them.
• UISO additionally recommends to perform the unprovisioning and mitigation process outlined in the Intel SA-00075 Mitigation Guide.

Further reading

• Intel AMT Vulnerability CVE-2017-5689 in Firmware
• Intel Product Security Center INTEL-SA-00075
• Intel SA-00075 Detection Guide
• Intel SA-00075 Mitigation Guide
• Intel SA-00075 Unprovisioning Tool
• Important Security Information about Intel Manageability Firmware | Intel Newsroom
• US-CERT Intel Firmware Vulnerability
• The hijacking flaw that lurked in Intel chips is worse than anyone thought