CVE-2017-5689 - Intel AMT/ME privilege escalation.
Environment
- Intel system with AMT ( Active Management Technology )
- Intel AMT enabled and configured
Issue
Intel chipsets include a "Management Engine" (ME), which is a small microprocessor that runs independently of the system CPU and operating system. A flaw was found in the Intel AMT ( Active Management Technology ) running on the ME; the flaw allows remote attackers to "escalate privileges" and evade OS level detection.
This flaw is not created, influenced, mitigated, or fixed by software shipped by Red Hat.
Resolution
Intel announced CVE-2017-5689 in their most recent public security advisory. To prevent this flaw, you can either update your system ME firmware or disable AMT altogether:
- For an ME firmware update that includes a fix of the AMT code for this flaw, please contact your hardware vendor.
- It is possible to disable Intel AMT in most system BIOS or UEFI firmware settings. Intel has provided mitigation instructions which should be followed if firmware updates are not immediately available.
The operating system is unaware of and cannot control the Intel AMT/ME. For this reason, as a software provider, Red Hat cannot provide a fix for a firmware flaw. Additionally, attempting to configure a firewall for specific ports will be ineffective because Intel AMT can intercept network packets destined for the system, before the operating system is aware of them.
Root Cause
Available information regarding the exact nature of the flaw is currently limited. Intel provides the following from their public security advisory:
There are two ways this vulnerability may be accessed please note that Intel® Small Business Technology is not vulnerable to the first issue.
An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).
CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v3 is a scoring system used to classify security flaws and their potential effect on a system. Each of the directives are abbreviated to condense information. For an explanation of each abbreviation, refer to the CVSS user guide
Intel has indicated that an unauthorized user (PR:N) is allowed access to the AMT over both the local physical connection (AV:L) and across the network (AV:N). Systems with "Intel® Small Business Technology" are only vulnerable to the "local" attack vector.
For arbitrary code to be run on behalf of the attacker, Red Hat consider C:H, I:H, and A:H to be necessary. However, Intel might not apply their security metrics similarly.
Because Red Hat rates flaws differently than Intel, "Critical" and "High" ratings do not translate to the Red Hat severity ratings. Please consider what impact this flaw might have to your specific environment.
Diagnostic Steps
If AMT is both enabled and configured in the ME, your system is vulnerable to the flaw. If enabled, the Intel ME controller will show up in lspci with either MEI or HECI in the device description.
For example:
# lspci | egrep '(MEI|HECI)'
00:16.0 Communication controller: Intel Corporation 6 Series/C200 Series Chipset Family MEI Controller #1 (rev 04)
For information about AMT configuration, refer to your hardware vendor.
Additional information
- Not all consumer hardware has AMT
- Not all hardware with AMT is enabled
- Not all AMT firmware is affected (See Intels firmware table for affected releases)
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments