cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Luc_T410
Serial Port
Posts: 30
Registered: ‎01-07-2015
Location: PL
Views: 4,144
Message 21 of 43

Intel AMT - quick temporary fix until new BIOS release

My quick temporary fix regarding CVE-2017-5689 vulnerability until you can apply a new BIOS update:

 

Change the default admin name account to something random, do not create another admin account: 

AMT-ca1AMT-ca2AMT-ca3

 

More details about this problem here.

 

UPDATE 07-05-2017.

This method is confirmed to be effective for protecting you computer from remote AMT login !

Renaming default admin name account to something random will protect your computer with AMT active only from other host accessing your AMT computer by LAN or WAN.

It will NOT protect you from login/attack via local interface with LMS access !!!

It is best to use AMT with TLS so connection and traffic will be encrypted and admin name account can't be sniffed !

 

Remember you are still vulnerable from attack via local interface LMS access !!!

If you are loking for 100% protection then folow Intel advisory and unprovison and disable AMT !

 INTEL-SA-00075

Only a BIOS update from LENOVO with new Intel AMT firmware will solve this problem forever !

 

outernational
SCSI Port
Posts: 45
Registered: ‎04-18-2016
Location: US
Views: 4,234
Message 22 of 43

Re: Remote security exploit in all 2008+ Intel platforms

There is a simpler way.

netstat -na | findstr "\<16993\> \<16992\> \<16994\> \<16995\> \<623\> \<664\>"


should return nothing. If it does return something, you can run the mitigation guide at https://mattermedia.com/blog/disabling-intel-amt/

Centauri
SCSI Port
Posts: 111
Registered: ‎04-23-2016
Location: US
Views: 4,285
Message 23 of 43

Is the P70 affected by the hijacking flaw that lurked in Intel chips?

My following post that was originally posted on the Thinkpad P70 forum was just moved here. I'm still a bit confused and trying to figure out if my P70 is affected and how I can secure it. I'm weary about installing anything else from Intel to see if I am affected by this issue. is there a BIOS setting I can turn of for anything else I can do to definitevly know if my P70 is affected:

 

ORIGINAL POST:

 

I just read this article on Ars Technica that I find very concerning:

 

The hijacking flaw that lurked in Intel chips is worse than anyone thought | Ars Technica

"A remote hijacking flaw that lurked in Intel chips for seven years was more severe than many people imagined, because it allowed hackers to remotely gain administrative control over huge fleets of computers without entering a password. This is according to technical analyses published Friday."

 

And from what I can tell on the Lenovo Advisory below, Lenovo is listing the P70 as "affected." Does anyone know more about this and if only certain P70 configurations are affected or if they are all affected. I definitely don't want a hijacking backdoor in my P70 and I'm trying to figure out what is the best way to remove this threat from my computer.

 

Can this "feature" be disabled at the BIOS level? 

 

Lenovo Advisory: https://support.lenovo.com/us/en/product_security/LEN-14963

 

More info: https://arstechnica.com/security/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus...

Centauri
SCSI Port
Posts: 111
Registered: ‎04-23-2016
Location: US
Views: 4,186
Message 24 of 43

Re: Remote security exploit in all 2008+ Intel platforms


@outernational wrote:

There is a simpler way.

netstat -na | findstr "\<16993\> \<16992\> \<16994\> \<16995\> \<623\> \<664\>"


should return nothing. If it does return something, you can run the mitigation guide at https://mattermedia.com/blog/disabling-intel-amt/


So I just issued the above command and pretty much just received the command prompt back. Does that mean that my Thinkpad P70 is unaffacted by this flaw?

 

C:\WINDOWS\system32>netstat -na | findstr "\<16993\> \<16992\> \<16994\> \<16995\> \<623\> \<664\>"

 

C:\WINDOWS\system32>

Luc_T410
Serial Port
Posts: 30
Registered: ‎01-07-2015
Location: PL
Views: 4,134
Message 25 of 43

Re: Remote security exploit in all 2008+ Intel platforms

Can anybody explain me why I am censored on this forum if I try to help ?

 

Screenshot_2017-05-07_10-30-56.pngScreenshot_2017-05-07_10-31-43.pngScreenshot_2017-05-07_10-32-25.png

 

I think you can't censor full internet...

Community SeniorMod
Community SeniorMod
Posts: 2,006
Registered: ‎05-01-2010
Location: US
Views: 4,108
Message 26 of 43

Re: Remote security exploit in all 2008+ Intel platforms


@Luc_T410 wrote:

Can anybody explain me why I am censored on this forum if I try to help ?

 


Hi Luc_T410,

I don't see that you were censored. A post was merged from another forum so all discussion would be in this topic.  An entire post shouldn't disappear unless there is a violation of forum rules. I'm wondering if the community software removed your post when it merged the other one.

Try reposting that, and let's see if it stays.






Microsoft MVP Consumer Security 2006-2016 / Windows Insider MVP 2016-
I am not employed by Microsoft or Lenovo.

  Communities:   English    Deutsch    Español    Português    Русскоязычное    Česká    Slovenská    Українська   Polski    Türkçe    Moto English

Luc_T410
Serial Port
Posts: 30
Registered: ‎01-07-2015
Location: PL
Views: 4,089
Message 27 of 43

Re: Remote security exploit in all 2008+ Intel platforms

My first post that was moved here can be find in page 1, no problem.
After that I only posted in this thread.
This solution was in page 3 as first message that I posted yesterday and today I updated after I had confirmation that is viable for remote access from all other hosts but not from local host using LMS.
Short time after I updated my whole post disappeared... you can see the print screens I have it.

No more comments from me here as this solution I made it available for everybody interested on other places:
https://forum.pfsense.org/index.php?topic=130046.msg716793#msg716793
...
https://communities.intel.com/thread/114172
Community SeniorMod
Community SeniorMod
Posts: 2,006
Registered: ‎05-01-2010
Location: US
Views: 4,044
Message 28 of 43

Re: Remote security exploit in all 2008+ Intel platforms

I found the problem. It should be fixed now. Smiley Happy

Check your Message Inbox.

Thanks






Microsoft MVP Consumer Security 2006-2016 / Windows Insider MVP 2016-
I am not employed by Microsoft or Lenovo.

  Communities:   English    Deutsch    Español    Português    Русскоязычное    Česká    Slovenská    Українська   Polski    Türkçe    Moto English

Luc_T410
Serial Port
Posts: 30
Registered: ‎01-07-2015
Location: PL
Views: 4,016
Message 29 of 43

Re: Remote security exploit in all 2008+ Intel platforms

Thank you.
outernational
SCSI Port
Posts: 45
Registered: ‎04-18-2016
Location: US
Views: 3,991
Message 30 of 43

Re: Remote security exploit in all 2008+ Intel platforms

AMT is turned off on your machine. Doesn't mean a bad guy couldn't turn it on somehow. Better to follow the steps on https://mattermedia.com/blog/disabling-intel-amt/

Check out current deals!


Shop current deals

Top Kudoed Authors