Remote security exploit in all 2008+ Intel platforms

I saw this as well. Actually it affects only CPU's that has Intel VPro. Has anyone tried contacting Lenovo to find out when them will have a fix. There is mitigation from Intel as well.

https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/

As I understand it, these features are technologies that allow a systems administrator to manage workstations remotely over a network, via ports 16992 or 16993, and are not found in consumer-grade CPUs -- only in enterprise solutions, and mostly in server chipsets.

None of these come enabled by default. A sysadmin must first enable the services on their local network.

Intel has a detection guide. Scroll down to the links: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

Lenovo is aware. I'm sure more info will be posted soon.

Watch HERE for updates.

---

Bugbatter wrote:

As I understand it, these features are technologies that allow a systems administrator to manage workstations remotely over a network, via ports 16992 or 16993, and are not found in consumer-grade CPUs -- only in enterprise solutions, and mostly in server chipsets.

---

Unfortunately not, it is much more serious. It affects all machines having Intel CPUs that supports vPro technology regardless of whether you use it in "enterprise" environment or as individual end user. The AMT security hole is enabled by default for everyone.

Any chance to expect a fix from Lenovo/Intel for this HUGE problem for older Lenovo products affected T4xx... ?

Intel AMT CVE-2017-5689

mjg59

theregister Red alert!

Moderator comment: Merged in. Subject edited.

Thanks for reaching out! Please see the advisory we posted this morning here: https://support.lenovo.com/us/en/product_security/LEN-14963

In the future, you can check our security home page for new and updated advisories here: https://pcsupport.lenovo.com/us/en/product_security/home

Lenovo Thinkpad T410-T510 is not even listed, and latest available firmware from Lenovo unfortunately it is vulnerable:

Intel(R) MEInfo Version: 6.2.20.1022
        Copyright(C) 2005 - 2011, Intel Corporation. All rights reserved.

        Intel(R) Manageability and Security Application code versions:

        BIOS Version:                           XXXXXXWW (X.XX )
	MEBx Version:                           6.1.0.6
	Gbe Version:                            4.16.0
	VendorID:                               8086
	PCH Version:                            400006
   ==>  FW Version:                             6.2.60.1066  <==
        UNS Version:                            6.2.60.1068
        LMS Version:                            6.2.60.1068
	MEI Driver Version:                     6.2.50.1050
	Wireless Hardware Version:              1.1.76
	Wireless Driver Version:                13.2.0.30

Quote from Lenovo release 6ir654ww; spelling mistake is copyright to Lenovo
- Downgrading the Management Engine firmware to an older verion cannot be allowed.

original doc is here:
https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/6ir654ww.txt

Can anybody tell whether the remote AMT security hole is disabled or not ? Because it is not enough to disable it in BIOS. I used the ACUConfig tool

ACUConfig /output console status

X220: Starting to retrieve machine status...
Error: Host-based configuration is not currently available because the Local Manageability Service (LMS.exe) is not running on the system.

Host information - X220
        UUID - ...
        Intel(R) AMT version - 7.1.20
        The system is unconfigured.
        The system TLS setup is using PKI.
        Host-based configuration is not currently available because the Local Manageability Service (LMS.exe) is not running on the system.
        AMT state - Pre-Provision(0)

ACUConfig /output console unconfigure

ACUConfig 11.1.0.75
X220: Starting to unconfigure AMT...
Error: Host-based configuration is not currently available because the Local Manageability Service (LMS.exe) is not running on the system.
***********
Exit with code 2 - Intel(R) AMT is already unconfigured on this system.

---

Luc_T410 wrote:

If you try from any other computer/device in the same LAN/subnet as IAMT target and you can see the web page asking for login you are not safe:

Thanks ! This is what I was looking for. Fortunately both connections has failed.