How To: Mitigating The New Intel Management Engine Vulnerability



Background


On November 20, 2017, Intel published INTEL-SA-00086, a security advisory detailing local and remote exploits in the Intel Management Engine.

The Intel Management Engine (ME) has three vulnerable modules in this advisory:

  • The Active Management (AMT) module
  • The Trusted Execution Engine (TXE) module
  • The Server Platform Services (SPS) module

The only module of the three that can be exploited remotely is the AMT module.

Interestingly, this same module was the subject of a May 1, 2017 advisory for INTEL-SA-00075 as well.

In order for AMT to be exploited, the module must be enabled and provisioned. AMT is enabled by default in chips that contain it, but it is not automatically provisioned (unless done by an OEM, so don’t assume you’re safe).



Quick Detection and Mitigation


To detect any vulnerable systems, you can use the Python scanner script provided by Cerberus Security for the May vulnerability, as it’ll alert you to any accessible AMT modules.

To quickly mitigate the issue until you can patch, block the following ports on the perimeter, borders, and endpoints:

16992/TCP
16993/TCP
16994/TCP
16995/TCP
623/TCP
624/TCP

When you’re ready to patch, Intel has provided [a detection and mitigation tool for the May vulnerability](https://d wnloadcenter.intel.com/download/26755/INTEL-SA-00075-Detection-and-Mitigation-Tool), as well as one for the current vulnerability.

HowToBlue TeamHunt