On November 20, 2017, Intel published INTEL-SA-00086, a security advisory detailing local and remote exploits in the Intel Management Engine.
The Intel Management Engine (ME) has three vulnerable modules in this advisory:
- The Active Management (AMT) module
- The Trusted Execution Engine (TXE) module
- The Server Platform Services (SPS) module
The only module of the three that can be exploited remotely is the AMT module.
Interestingly, this same module was the subject of a May 1, 2017 advisory for INTEL-SA-00075 as well.
In order for AMT to be exploited, the module must be enabled and provisioned. AMT is enabled by default in chips that contain it, but it is not automatically provisioned (unless done by an OEM, so don’t assume you’re safe).
Quick Detection and Mitigation
To detect any vulnerable systems, you can use the Python scanner script provided by Cerberus Security for the May vulnerability, as it’ll alert you to any accessible AMT modules.
To quickly mitigate the issue until you can patch, block the following ports on the perimeter, borders, and endpoints:
16992/TCP 16993/TCP 16994/TCP 16995/TCP 623/TCP 624/TCP
When you’re ready to patch, Intel has provided a detection and mitigation tool for the May vulnerability, as well as one for the current vulnerability.