Intel SA-00075 Security Bulletin - Intel Active Management Technology (AMT), Intel Standard Manageability (ISM) and Intel Small Business Technology

Article ID: 675
Last updated: 25 Aug, 2017
Revision: 35
print  Print
share  Share
Views: 1015
Posted: 10 May, 2017
by Paul Watkins
Updated: 25 Aug, 2017
by Andrew Sharrad

On May 1st 2017, Intel published a security advisory regarding a firmware vulnerability in certain systems that utilize Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM) or Intel® Small Business Technology (SBT). The vulnerability could enable a network attacker to remotely gain access to business PCs or devices that use these technologies.

Summary

There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel® Server Platform Services (Intel® SPS), or Intel® Xeon® Processor E3 and Intel® Xeon® Processor E5 workstations utilizing Intel® SPS firmware.

Description

There are two ways this vulnerability may be accessed, please note that Intel® Small Business Technology is only vulnerable to the second method:

  • An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
  • An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).

Threat level

Severe.

  • A system with unpatched ME firmware, running the Intel Local Manageability Service, is affected, whether or not vPro is provisioned.
  • A system with unpatched ME firmware, with vPro provisioned, is affected, whether or not the Local Manageability Service is running.

Recommendations

Our customer's security is paramount, to that end Stone are working with key vendors to provide firmware updates which close this vulnerability as quickly as possible. Those updates will be able available to download from this article as soon as they are made available to us

Intel has released a discovery tool which will analyse your systems for the vulnerability.

Actions:

1. Determine if you have an Intel® AMT, Intel® SBA, or Intel® ISM capable systems. If you determine that you do not have an Intel® AMT, Intel® SBA, or Intel® ISM capable system then no further action is required.

2. Utilize the INTEL-SA-00075 Detection Guide to assess if your system has the impacted firmware.

3. Stone highly recommends updating affected systems Management Engine (ME) firmware as soon as they become available. Please review the affected products section of this article for ME firmware update availability.

  • Management Engine (ME) Firmware versions that resolve the issue have a four digit build number that starts with a "3" (X.X.XX.3XXX) Example: 8.1.71.3608.
  • After the BIOS or ME patch update, to completely mitigate any risks, any previously configured AMT functionality should be de-provisioned and then re-configured. This prevents any compromised machines from retaining "hacked" logins.

4. If a firmware update is not yet available, mitigations are provided by the INTEL-SA-00075 Mitigation Guide. It is recommended that unpatched systems should have the steps detailed in the mitgation guide applied to them until such time as an ME firmware update becomes available.

  • De-provision AMT
  • Fully disable the Local Management / Manageability Service within the operating system

Affected Products

The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability. Versions before 6 or after 11.6 are not impacted.

Where possible, updated BIOSes or patches for Management Engine Firmware are shown below. This article will be updated as more BIOSes or patches become available.

Note 1: Management Engine patches require a compatible, similar management engine version is already installed. For example, a system with a 2xxx Management Engine version will require the BIOS to be updated to include the 3xxx Management Engine version before then applying the patch. The Asus patch update utility may offer to attempt to do this for you by requesting the latest motherboard BIOS .CAP file. Please note that the Asus patches require that Intel Management Engine Components Driver is installed.
Note 2: Always check and test the update process, both in terms of resolving the issue, and also compatibility with your software images etc., before rolling this process out to your users on a wider scale.
Note 3: Windows patches, for example, for the Asus motherboards, that use the Intel Firmware Update Utility, may not run on Windows Server. In this instance, use the DOS patch.

StonePC Lite/Tower / All In One

Product code / General BIOS Update Link

Motherboard model

Updated ME Download

BOAMOT-458 Asus P8B75-M

(Asus Ivybridge)

Windows Patch: 8.1.x.3608

BOAMOT-461 Asus P8Q77-M

BOAMOT-463

Asus B85M-E

(Asus Haswell)

Windows Patch: 9.1.41.3024 (updated 29/6/17 with improved update utility)

DOS Patch: 9.1.41.3024

BOAMOT-467

Asus CS-B

BOAMOT-470

Asus Q87T

BOAMOT-473 / BOAMOT-462

Asus Q87M-E

BOAMOT-480

Asus B150M-A

(Asus Skylake / Kaby Lake)

Windows Patch: 11.6.27.3264

DOS Patch: 11.6.27.3264

BOAMOT-482

Asus Q170M-C

BOAMOT-484

Asus Q170T

BOAMOT-485

Asus B150M-A/M.2

BOAMOT-488

Asus B250M-A

BOAMOT-489

Asus Q270M-C

ISRMOT-174 Gigabyte MW50-SV0

(Gigabyte C612 Xeon Workstation)

BIOS R06 with patched Workstation / HEDT ME Firmware.

Legacy Desktop Products

Stock code

Motherboard model

Patched ME firmware

BOAMOT-370

DQ57TM

Windows Patch: 6.2.61.3635

BOAMOT-406

DQ67SW

Windows Patch: 7.1.91.3272

BOAMOT-412

DQ67OW

BOAMOT-420

DQ67EP

BOAMOT-436

DQ77MK

Windows Patch: 8.1.71.3708

BOAMOT-437

DB75EN

BOAMOT-450

DQ77CP

BOAMOT-451

DQ77KB

Further information regarding Intel's release schedule for their own branded desktop products can be found here.

StonePC Micro

Stock code

Kit model

Motherboard model

Patched ME firmware

INTNUC-10007

DC53427HYE

D53427RKE

Windows BIOS: 8.1.71.3608

INTNUC-10009

NUC5i5MYHE

NUC5i5MYBE

Windows BIOS: 10.0.55.3000

Stone Notebooks

Chassis Part Code

Notebook Model

Patched ME firmware

NOTCHA-256

NOTCHA-257

NT310

Not currently available, please follow mitigating actions.

NOTCHA-261

NOTCHA-262

NT310

Applies to:

  • Stone Desktop, Notebook and NUC products with Intel AMT (such as B or Q series chipsets),

Asus B150M-A/M.2

This article was:  


Prev     Next
Stone Branded Products       Intel SA-00086 - Intel Management Engine Critical Firmware Update