--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical Privileges Escalation Vulnerability in Intel AMT Service' version: '1.1' number: '2017-010' date: 'May 4, 2017' --- _History:_ * _02/05/2017 --- v1.0: Initial publication_ * _04/05/2017 --- v1.1: Title and wording corrected based on comments from Intel_ # Summary On 1st of May 2017, Intel reported that there is _an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products_ [1]. Essentially any PC with vPro and AMT features enabled are at risk, although Intel states in their advisory that _Intel-based consumer PCs_ are not affected. # Technical Details The vulnerability received a CVE label CVE-2017-5689 [2]. According some researchers [3] the problem is so important because affects the AMT service. This service is reachable through the network and has DMA access (direct memory access bypassing the processor) to the system. Which means that after exploiting the vulnerability, the attacker can arbitrarily read and write to memory on the system. The vulnerable AMT service is part of Intel's vPro suite of processor features. If vPro is present and enabled on a system and AMT is provisioned, unauthenticated users of the local network can access the computer's AMT controls and hijack them, with the above explained consequences. If AMT is not provisioned, a logged-in user can still potentially exploit the bug to gain admin-level powers. If the vPro or AMT is not present at all, the machine is not vulnerable [4]. According to Intel, there are two ways this vulnerability may be exploited (note that Intel® Small Business Technology is not vulnerable to the first issue) [1]: 1. An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM). `CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` 2. An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT). `CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` # Products Affected **Impacted:** Products with Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability. **Not impacted:** Products with firmware versions before 6 or after 11.6 are not impacted. Essentially, **every Intel platform with AMT, ISM, and SBT** from **Nehalem** in **2008** to **Kaby Lake** in **2017** has a remotely exploitable security hole [3]. # Recommendations Follow the detection and mitigation procedure described in the _Recommendations_ section of the original Intel advisory [1]. As indicated, a patch to the firmware is needed to fix the problem. If applying a patch is not an option, there is a mitigation guide published by Intel [5]. # References [1] Intel security center [2] CVE [3] SemiAccurate article [4] The Register article [5] Intel mitigation guide