Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Intel AMT - quick temporary fix until new BIOS release

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    8 Posts 4 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      n3by
      last edited by

      My quick temporary fix regarding CVE-2017-5689 vulnerability Intel AMT until you can apply a new BIOS update:

      Change the default admin name account to something random, do not create another admin account:

      More details about this problem here.

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        I think it would be better to disable AMT completely until the patches are out.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • N
          n3by
          last edited by

          All my firewalls have IAMT exposed to WAN and it is really useful for remote sites, they are older version 5.2.xx but I already changed the default admin account name long time ago whey I set them up. No idea why Intel did not recommend this approach also if you need to use AMT.

          My laptop is affected by this problem and it is a low chance to get an BIOS update because is old hw Lenovo ThinkPad T410 but I also have the admin name changed so it think it is relative safe.

          I am thinking to experiment with some settings on Intel Defense for WAN on AMT ports, it will be nice to have the possibility to accept incoming connection on AMT ports only from an external IP specified by admin.

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            @BBcan177:

            I think it would be better to disable AMT completely until the patches are out.

            FTFY.  :P ;D

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability

              we used a NULL/empty response hash (response="" in the HTTP Authorization header). Authentication still worked.

              1 Reply Last reply Reply Quote 0
              • N
                n3by
                last edited by

                UPDATE 07-05-2017.

                This method is confirmed to be effective for protecting you computer from remote AMT login !

                Renaming default admin name account to something random will protect your computer with AMT active only from other host accessing your AMT computer by LAN or WAN.

                It will NOT protect you from login/attack via local interface with LMS access !!!

                It is best to use AMT with TLS so connection and traffic will be encrypted and admin name account can't be sniffed !

                Remember you are still vulnerable from attack via local interface LMS access !!!

                If you are looking for 100% protection then follow Intel advisory and unprovison and disable AMT !
                https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

                edited - changed.
                my post at Lenovo forum was recovered by their staff and now it is displayed.

                https://forums.lenovo.com/t5/forums/v3_1/forumtopicpage/board-id/Security_Malware/thread-id/2678/page/3

                1 Reply Last reply Reply Quote 0
                • S
                  seanmcb
                  last edited by

                  Is/was AMT enabled by default on any of the hardware sold at the pfsense/netgate store?

                  1 Reply Last reply Reply Quote 0
                  • BBcan177B
                    BBcan177 Moderator
                    last edited by

                    @seanmcb:

                    Is/was AMT enabled by default on any of the hardware sold at the pfsense/netgate store?

                    https://www.reddit.com/r/PFSENSE/comments/68opmm/are_any_of_the_pfsense_appliances_vulnerable_to/

                    "Experience is something you don't get until just after you need it."

                    Website: http://pfBlockerNG.com
                    Twitter: @BBcan177  #pfBlockerNG
                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.