Intel recently announced a critical vulnerability that affects its remote management features built into business-class Intel chipsets. If exploited, this bug could allow a remote attacker to take control of an affected machine by using Intel AMT features.
What is Intel AMT?
AMT stands for Active Management Technology. It is a compilation of management features that comes pre-installed on supported Intel processors. It is designed to enhance the abilities of IT administrators, allowing them to perform several management and repair functions on computers, even when they are turned off.
How can an attacker exploit this bug?
An attacker would need to gain access to the Intel AMT Web Interface. If there is a direct link through a firewall, the attacker has a clear path. Otherwise, an attacker could attempt to comprise another system or establish another “tunnel” to the vulnerable system. The Intel AMT web interface is normally password protected, but this vulnerability allows an attacker to send a “null” (“nothing” or “blank”) response to the AMT system during the authentication process. Additionally, the computer does not even need to be powered on to exploit the vulnerability.
How serious is this bug?
The rating of this bug is critical, which represents the highest possible severity level. If exploited, it could potentially allow an attacker to gain full control over a computer without any interaction from the computer’s user.
What should I do?
If your computer is supported by Machado Consulting, then no further action is required. We have already taken actions to mitigate this risk to your system.
If you have a computer that is not supported by Machado Consulting, then it is highly recommended that you follow these steps:
What is Intel AMT?
AMT stands for Active Management Technology. It is a compilation of management features that comes pre-installed on supported Intel processors. It is designed to enhance the abilities of IT administrators, allowing them to perform several management and repair functions on computers, even when they are turned off.
How can an attacker exploit this bug?
An attacker would need to gain access to the Intel AMT Web Interface. If there is a direct link through a firewall, the attacker has a clear path. Otherwise, an attacker could attempt to comprise another system or establish another “tunnel” to the vulnerable system. The Intel AMT web interface is normally password protected, but this vulnerability allows an attacker to send a “null” (“nothing” or “blank”) response to the AMT system during the authentication process. Additionally, the computer does not even need to be powered on to exploit the vulnerability.
How serious is this bug?
The rating of this bug is critical, which represents the highest possible severity level. If exploited, it could potentially allow an attacker to gain full control over a computer without any interaction from the computer’s user.
What should I do?
If your computer is supported by Machado Consulting, then no further action is required. We have already taken actions to mitigate this risk to your system.
If you have a computer that is not supported by Machado Consulting, then it is highly recommended that you follow these steps:
- Determine if you have an Intel AMT capable computer. The easiest method is to look for an Intel sticker on your computer – it will have “vPro” printed in the corner if it is an affected system. Additional methods can be found below. If the system does not support Intel AMT, then the remaining steps are not needed.
- Download the “Discovery Tool” from Intel, which can be found by clicking the following link: https://downloadcenter.intel.com/downloads/eula/26755/INTEL-SA-00075-Detection-Guide?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F26755%2Feng%2FdiscoveryToolInstaller_1.0.1.39.msi. At the bottom of the page, you will need to click “I accept the terms in the license agreement” in order to download it.
- Click the downloaded file to run it. Continue clicking the “Next” button, then the “Install” button, and then “Finish” to complete installation
- Click the start button and start typing “Intel-SA-0075 Discovery Tool.” The program should be displayed in the start menu. Click on it to run it.
- The program will provide a risk assessment after running. In the first sentence, it will let you know whether the system is “not vulnerable.” If the system is determined to be “vulnerable” or “unknown,” proceed with the remaining steps.
- You may check with your manufacturer for updated firmware that resolves this bug. After installing the applicable updated firmware, the issue should be resolved. However, many systems have yet to receive the update from the manufacturer. If this is the case or you are unsure, proceed with the remaining steps. The remaining steps help mitigate the risk either way.
- Download the Intel Unprovisioning Tool by clicking the following link: https://downloadcenter.intel.com/downloads/eula/26781/Intel-SA-00075-Unprovisioning-Tool?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F26781%2Feng%2FINTEL-SA-00075_UnprovisioningTool_1.0.0.0025.zip. As before, you will need to click “I accept the terms in the license agreement”
- Click the downloaded file to open it. It should open in your default “zip” utility, such as 7-zip or WinZip. In the resulting window, double-click on “unprovisionToolInstaller.msi” to run the unprovision installer. As before, continue clicking “Next,” then “Install,” and then “Finish” to complete the installation.
- After clicking “Finish,” the unprovision tool should run automatically. You will be presented with a black “command prompt” window and another window as the tool runs – this new window will show “done” when complete.
- As an additional precaution, you may also disable the LMS service. Click the start button, type “services” and press the Enter key. Look for a service called “Intel(R) Management and Security Application Local Management Service.” Right-click on this service and click “Properties.” Click the drop-down next to “Startup type” and select “Disabled.” Click OK to close the window. Reboot the computer to apply the change.
Where can I find more information?
The best source for all information and links can be found here: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
Additional information about this bug, including screenshots of the mitigation steps, can be found here: http://www.pcworld.com/article/3195246/security/how-to-check-for-the-intel-active-management-exploit-that-lets-hackers-take-over-your-pc.html
Please call our support team at (508) 453-4700, or contact us if you would like to learn more.
