Intel AMT Vulnerability

There was a lot of chatter this week about the release of a vulnerability in the Intel Active Management Technology (AMT) management engine. The vulnerability is in the communications stack and could allow an attacker to gain remote access to AMT services such as the keyboard, video and mouse (KVM), IDE Redirection, Serial over LAN and BIOS setup and editing. Not good. However, what’s the real enterprise risk? That’s really what we need to worry about; does it increase our risk? Once the panic dies down and we give it some rational thought, the risk to the enterprise is really pretty low. Based on what has been announced publicly we know that:

• It doesn’t impact consumer devices. The assumption here is that a consumer didn’t buy a enterprise desktop or laptop. It is possible and can happen in a number of different ways, but still doesn’t happen too frequently. If your internal clients can purchase surplus company computers (and they’re vulnerable), you’ll want to notify them. Otherwise your general client population doesn’t need to worry.
• It looks like it is a series of chipsets from a very narrow date range (2010-2011). If all of your systems are newer than that (and the vast majority will be) then you have nothing to worry about.
• Typically, the AMT functionality doesn’t come turned on by default. This could be something that your PC supplier does, but it doesn’t come this way from the manufacturer. So, if you don’t use the functionality and never turned it on, don’t worry.

Once we take all that information into account, the risk to the enterprise is very low and that’s completely ignoring any internal network security controls that you can use to detect and/or stop any attempts to communicate to the ports used by AMT (16992 and 16993).

If you do have impacted systems, you’ll need to wait for your hardware vendor to publish a fix and then patch your systems. Intel is not releasing the fix directly as implementation is done by the vendor. Contact your hardware vendor and have them notify you when the fix is ready. In the meantime, hopefully you have internal monitoring on your network to watch for this kind of traffic at a minimum, and block the traffic ideally. Another option is to just disable AMT altogether in those systems.

This is a good example of the immediacy of vulnerability news in our hyper-aware world. Before running to management, be sure to gather all the necessary facts so that you can present a comprehensive and accurate outline of the problem and realistic ways to mitigate the risks.