Many of you already have expressed your displeasure over Intel’s Active Management Technology (AMT) and Management Engine (ME) for various reasons in the past and now it’s been disclosed that for years there has been a vulnerability in this business-oriented feature that could open your Intel systems up to attackers.
Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability are subject to a hole allowing an unprivileged attacker to gain control of the management features for these products. The issue was made public today via INTEL-SA-00075.
For those with AMT enabled on their systems, it can affect supported processors going back to 2008 when AMT6 debuted — thus the vulnerability covers from Nehalem to Kabylake CPUs.
More details via Intel’s security statement and have begun offering updated firmware to system providers to address the issue. Intel has also published a mitigation guide.
„Closed source custom Java ME and ThreadX blob probably maintained by interns, running all the time with unfettered access to every resource in the system even when the machine is turned off, integrated into almost every enterprise computer network in the world.
What could possibly go wrong. „
Step 1: Unprovisioning clients
When configured, Intel® AMT and ISM automatically listen for management traffic over your computer network. Systems that
are vulnerable to the known privilege escalation issue should be unprovisioned using the tools used to initially configure them to prevent unauthorized access to manageability features.
As an example, the Intel® AMT Configuration Utility (ACUConfig) from the Intel® Setup and Configuration Software (Intel® SCS) download can be used from a command line to unconfigure systems.
Example unconfigure commands (note these will need to be executed with OS administrative rights):
Unconfiguring a system in CCM:
Unconfiguring a system in ACM without RCS integration:
ACUConfig.exe UnConfigure /AdminPassword
Unconfiguring a system with RCS integration :
ACUConfig.exe UnConfigure /RCSaddress <RCSaddress> /Full
See section 6.1 4, Unconfiguring Intel AMT systems , of the Intel® SCS user guide for additional details.
You can download a copy.
What is LMS Intel® Management and Security Application Local Management Service (LMS) is a service that enables local applications running on Intel® AMT, Intel® SBA or Intel® Standard Manageability supported devices to use common SOAP and WS
It listens to the Inte l® Manageability Engine (ME) ports (16992, 16993, 16994, 16995, 623, and 664) and routes the traffic to the firmware through the
Intel® MEI driver.
Process to disable LMS Note: Th e following commands utilize the Windows built in command line program SC for communicating with the Service
Control Manager and services.
An Active Directory Group Policy Object (GPO) can also be leveraged to scale disabling LMS. Run the following com mand from a command prompt with
sc config LMS start=disabled
Process to remove LMS Run the following command from a command prompt with administrative rights:
sc delete LMS
Note: This command removes LMS from Windows services. To fully remove LMS from the system, you need to also delete the executable
If you are not sure what the path is, you can find it using the following command from a command prompt:
sc qc LMS