Do you have Intel AMT? Then you have a problem today! Intel Active Management Technology INTEL-SA-00075, (Tue, May 2nd)

There have been some reports to us about an issue with Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability [1]. It might be a good idea to review Intel’s security bulletin INTEL-SA-00075, which outlines a Privilege Escallation vulnerability.


The document also states very clearly that “This vulnerability does not exist on Intel-based consumer PCs.” [1].  However, the affected and resolved firmware table indicates which generation of the Core CPU architecture is affected.  This seems to be a bit of a contradiction to me.  I also find it very odd to see a security advisory on Intel AMT that does not mention vPro (the matching feature on the workstation) even once.  You’ll also see below that an unmanaged but vPro equiped Windows machine will likely show some of the markers for this issue.  If this issue could be leveraged to compromise unmanaged but vPro equiped desktops, laptops and other equipment, this could get very bad, very quickly.  If anyone has more concrete information on this possible avenue of investigation, please add to this thread using our comment form or contact us via email.


Anyway, the affected / resolved firmware version (from the Intel advisory) is here:



Intel advises that the system or system board manufacturers should be releasing these firmware versions to affected customers.


Intel has published a mitigation guide and it can be accessed online [2]. One item of note from the guide is checking to see if ports are listening with netstat. The IANA assigned ports are: 16992, 16993, 16994, 16995, 623, and 664.


    netstat -na | findstr “\<16993\> \<16992\> \<16994\> \<16995\> \<623\> \<664\>”


On my laptop:


C:\>netstat -na | findstr “\<16993\> \<16992\> \<16994\> \<16995\> \<623\> \<664\>”

  TCP    0.0.0.0:623            0.0.0.0:0              LISTENING

  TCP    0.0.0.0:16992          0.0.0.0:0              LISTENING

  TCP    [::]:623               [::]:0                 LISTENING

  TCP    [::]:16992             [::]:0                 LISTENING


Intel’s mitigation guide [2] posts a detailed document on removing the supporting code in Windows by disabling or removing the affected service, either from the command line or in Group Policy.  What it boils down to is you want to stop and disable the LMS Service (Local Management Service), then delete LMS.exe.  On my (not managed by AMT)  laptop, this shows up in the services list as “Intel(R) Management and Security Application Local Management Service“.  LMS.EXE is located in  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS.


Another good resource to review is the Intel SCS System Discovery tool [3]. The tool site also notes registry locations for discovery.


    HKLM\SOFTWARE\Intel\Setup and Configuration Software\SystemDiscovery (32-bit and 64-bit operating systems)

    HKLM\SOFTWARE\Wow6432Node\Intel\Setup and Configuration Software\SystemDiscovery (64-bit operating systems)


You can sleuth for these using powershell just as easily, or even a batch file and the “reg query” command (comes up with nothing on my laptop):


C:\>reg query “HKLM\SOFTWARE\Intel\Setup and Configuration Software\SystemDiscovery”

ERROR: The system was unable to find the specified registry key or value.


C:\>reg query “HKLM\SOFTWARE\Wow6432Node\Intel\Setup and Configuration Software\SystemDiscovery”

ERROR: The system was unable to find the specified registry key or value.


Or, in PowerShell:



Another possible method of discovery would be over the network, using nmap. Try:


nmap -iL <yourTestList.txt> -p 16992-16995,623,664 -oG <outputFileScanTest.txt>


Preference for Grepable format here, see man pages for output types.


If you need to generate IP lists try this handy script (total shout out to Violent Python!) [5]



#!/usr/bin/env python

# Get our List

# The Variable has to be encapsulated in ” ” or this poorly written script will error out.

targets = input(‘Enter 3 Octet IPv4 Target List \(e.g., \”10.10.10.\”\) Please encapsulate in \” \”: ‘)

# Open the list File

scanTargets = open(‘scanTargets.txt’,’w’)

# Write our list to the file

for x in range(1,255):

            targets.write(str(targets)+ “%s\n” % x)



We are tracking this one, if you have anything to share please send it in and we will update this diary, or use our comment form


References:

[1] https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

[2] https://downloadmirror.intel.com/26754/eng/INTEL-SA-00075%20Mitigation%20Guide-Rev%201.1.pdf

[3] https://communities.intel.com/docs/DOC-5765

[4] https://msdn.microsoft.com/en-us/powershell/scripting/getting-started/cookbooks/working-with-registry-entries

[5] http://a.co/7TcmYUN


=================

Richard Porter

Rob VandenBrink

Source: SANS Internet Storm Center, InfoCON: green @ May 1, 2017 at 10:00PM

0
Share