{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2017-010.pdf"
    },
    "title": "UPDATE Critical Privileges Escalation Vulnerability in Intel AMT Service",
    "serial_number": "2017-010",
    "publish_date": "02-05-2017 14:58:00",
    "description": "On 1st of May 2017, Intel reported that there is \"an escalation of privilege vulnerability in Intel\u00ae Active Management Technology (AMT), Intel\u00ae Standard Manageability (ISM), and Intel\u00ae Small BusinessTechnology that can allow an unprivileged attacker to gain control of the manageability features provided by these products\". Once exploited,it allows for DMA access to the system, which means that the attacker can arbitrarily read and write to memory on the system.",
    "url_title": "2017-010",
    "content_markdown": "---\ntitle: 'Critical Privileges Escalation Vulnerability in Intel AMT Service'\nversion: '1.1'\nnumber: '2017-010'\ndate: 'May 4, 2017'\n---\n\n_History:_\n\n* _02/05/2017 --- v1.0: Initial publication_\n* _04/05/2017 --- v1.1: Title and wording corrected based on comments from Intel_\n\n# Summary\n\nOn 1st of May 2017, Intel reported that there is _an escalation of privilege vulnerability in Intel\u00ae Active Management Technology (AMT), Intel\u00ae Standard Manageability (ISM), and Intel\u00ae Small Business Technology firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products_ [1].\n\nEssentially any PC with vPro and AMT features enabled are at risk, although Intel states in their advisory that _Intel-based consumer PCs_ are not affected.\n\n# Technical Details\n\nThe vulnerability received a CVE label CVE-2017-5689 [2].\n\nAccording some researchers [3] the problem is so important because affects the AMT service. This service is reachable through the network and has DMA access (direct memory access bypassing the processor) to the system. Which means that after exploiting the vulnerability, the attacker can arbitrarily read and write to memory on the system.\n\nThe vulnerable AMT service is part of Intel's vPro suite of processor features. If vPro is present and enabled on a system and AMT is provisioned, unauthenticated users of the local network can access the computer's AMT controls and hijack them, with the above explained consequences. If AMT is not provisioned, a logged-in user can still potentially exploit the bug to gain admin-level powers. If the vPro or AMT is not present at all, the machine is not vulnerable [4].\n\nAccording to Intel, there are two ways this vulnerability may be exploited (note that Intel\u00ae Small Business Technology is not vulnerable to the first issue) [1]:\n\n1. An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel\u00ae Active Management Technology (AMT) and Intel\u00ae Standard Manageability (ISM).\n\n\t`CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`\n\n2. An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel\u00ae Active Management Technology (AMT), Intel\u00ae Standard Manageability (ISM), and Intel\u00ae Small Business Technology (SBT).\n\n\t`CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`\n\n# Products Affected\n\n**Impacted:** Products with Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel\u00ae Active Management Technology, Intel\u00ae Small Business Technology, and Intel\u00ae Standard Manageability.  \n\n**Not impacted:** Products with firmware versions before 6 or after 11.6 are not impacted.\n\nEssentially, **every Intel platform with AMT, ISM, and SBT** from **Nehalem** in **2008** to **Kaby Lake** in **2017** has a remotely exploitable security hole [3].\n\n# Recommendations\n\nFollow the detection and mitigation procedure described in the _Recommendations_ section of the original Intel advisory [1]. As indicated, a patch to the firmware is needed to fix the problem. If applying a patch is not an option, there is a mitigation guide published by Intel [5].\n\n# References\n\n[1] Intel security center <https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr>\n\n[2] CVE <https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5689>\n\n[3] SemiAccurate article <https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/>\n\n[4] The Register article <https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/>\n\n[5] Intel mitigation guide <https://downloadmirror.intel.com/26754/eng/INTEL-SA-00075%20Mitigation%20Guide-Rev%201.1.pdf>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>02/05/2017 --- v1.0: Initial publication</em></li><li><em>04/05/2017 --- v1.1: Title and wording corrected based on comments from Intel</em></li></ul><h2 id=\"summary\">Summary</h2><p>On 1st of May 2017, Intel reported that there is <em>an escalation of privilege vulnerability in Intel\u00ae Active Management Technology (AMT), Intel\u00ae Standard Manageability (ISM), and Intel\u00ae Small Business Technology firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products</em> [1].</p><p>Essentially any PC with vPro and AMT features enabled are at risk, although Intel states in their advisory that <em>Intel-based consumer PCs</em> are not affected.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability received a CVE label CVE-2017-5689 [2].</p><p>According some researchers [3] the problem is so important because affects the AMT service. This service is reachable through the network and has DMA access (direct memory access bypassing the processor) to the system. Which means that after exploiting the vulnerability, the attacker can arbitrarily read and write to memory on the system.</p><p>The vulnerable AMT service is part of Intel's vPro suite of processor features. If vPro is present and enabled on a system and AMT is provisioned, unauthenticated users of the local network can access the computer's AMT controls and hijack them, with the above explained consequences. If AMT is not provisioned, a logged-in user can still potentially exploit the bug to gain admin-level powers. If the vPro or AMT is not present at all, the machine is not vulnerable [4].</p><p>According to Intel, there are two ways this vulnerability may be exploited (note that Intel\u00ae Small Business Technology is not vulnerable to the first issue) [1]:</p><ol><li><p>An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel\u00ae Active Management Technology (AMT) and Intel\u00ae Standard Manageability (ISM).</p><p><code>CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</code></p></li><li><p>An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel\u00ae Active Management Technology (AMT), Intel\u00ae Standard Manageability (ISM), and Intel\u00ae Small Business Technology (SBT).</p><p><code>CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</code></p></li></ol><h2 id=\"products-affected\">Products Affected</h2><p><strong>Impacted:</strong> Products with Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel\u00ae Active Management Technology, Intel\u00ae Small Business Technology, and Intel\u00ae Standard Manageability. </p><p><strong>Not impacted:</strong> Products with firmware versions before 6 or after 11.6 are not impacted.</p><p>Essentially, <strong>every Intel platform with AMT, ISM, and SBT</strong> from <strong>Nehalem</strong> in <strong>2008</strong> to <strong>Kaby Lake</strong> in <strong>2017</strong> has a remotely exploitable security hole [3].</p><h2 id=\"recommendations\">Recommendations</h2><p>Follow the detection and mitigation procedure described in the <em>Recommendations</em> section of the original Intel advisory [1]. As indicated, a patch to the firmware is needed to fix the problem. If applying a patch is not an option, there is a mitigation guide published by Intel [5].</p><h2 id=\"references\">References</h2><p>[1] Intel security center <a rel=\"noopener\" target=\"_blank\" href=\"https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr\">https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&amp;languageid=en-fr</a></p><p>[2] CVE <a rel=\"noopener\" target=\"_blank\" href=\"https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5689\">https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5689</a></p><p>[3] SemiAccurate article <a rel=\"noopener\" target=\"_blank\" href=\"https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/\">https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/</a></p><p>[4] The Register article <a rel=\"noopener\" target=\"_blank\" href=\"https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/\">https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/</a></p><p>[5] Intel mitigation guide <a rel=\"noopener\" target=\"_blank\" href=\"https://downloadmirror.intel.com/26754/eng/INTEL-SA-00075%20Mitigation%20Guide-Rev%201.1.pdf\">https://downloadmirror.intel.com/26754/eng/INTEL-SA-00075%20Mitigation%20Guide-Rev%201.1.pdf</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}