Disabling Intel AMT on Windows (and a simpler CVE-2017-5689 Mitigation Guide)
FINAL UPDATE (2018): Starting with Intel AMT Release 12.0, it is possible to globally disable Intel AMT
UPDATE3: There is now a tool to check whether AMT is enabled and provisioned on Linux systems.
UPDATE2: It gets worse. Much worse. If your Windows laptop runs #IntelAMT, and you enable #WiFi for AMT and you connect to public WiFi AMT is accessible to anyone on that network.
UPDATE1: The vulnerability is now called “SILENT BOB IS SILENT” and is worse than imagined – an attacker can bypass authentication and log on to Intel AMT remotely simply by sending an empty password (a NULL HTTP Digest response). Furthermore,
“The exploit is trival, max five lines of Python, could be doable in one-line shell command. It gives full control of affected machines, including the ability to read and modify everything. It can be used to install persistent malware (possibly in firmware), and read and modify any data. For security servers, it may allow disabling security features, creating fake credentials, or obtaining root keys. … IT folks, KEEP WORKING THROUGH THE WEEKEND, DISABLE AMT NOW or block access to it. This can get ugly.”
Completely and permanently (unless you re-install it) disable Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability on Windows. These are components of the Intel Management Engine firmware.
This is especially relevant since a privilege escalation issue affecting Intel ME (CVE-2017-5689) was made public on May 1st. A patch for Linux is forthcoming. This vulnerability was discovered by Embedi.
PS: words within ` ` are commands, you need to copy and paste these commands without the `
1) Download the Intel Setup and Configuration Software (Intel SCS) and extract the files
2) Open up an administrator command prompt and navigate to where you extracted the files in step 1:
- run `cd Configurator`
3) In the command prompt, run `ACUConfig.exe UnConfigure`. If you get an error, try one of the options below:
- Unconfiguring a system in ACM without RCS integration:
`ACUConfig.exe UnConfigure /AdminPassword <password> /Full` - Unconfiguring a system with RCS integration:
`ACUConfig.exe UnConfigure /RCSaddress <RCSaddress> /Full`
4) Still in the command prompt, disable and/or remove LMS (Intel Management and Security Application Local Management Service):
- `sc config LMS start=disabled`
- `sc delete LMS`
- also run `sc qc LMS`, which will either show you the path to LMS.exe or FAIL. If it shows you the path, use Explorer to delete it. If it FAILED, do not be concerned.
5) Reboot your computer.
6) Check if there is still a socket listening on the Intel ME Internet Assigned Names Authority (IANA) ports on the client: 16992, 16993, 16994, 16995, 623, and 664 (you can also do this before you start to verify it is listening. The Intel ME listens even if the Intel AMT GUI shows Intel ME is “Unconfigured”)
- in a command prompt (does not need to be elevated), run `netstat -na | findstr “\<16993\> \<16992\> \<16994\> \<16995\> \<623\> \<664\>”`
7) The Intel AMT GUI should now show “information unavailable on both remaining tabs” (you might have had 3 or more tabs before going thru the steps above)
8) Optionally, you can now delete LMS.exe. It is usually located in “C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS”. You could go further and use Add/Remove Programs to uninstall the AMT GUI, but then you will have a harder time in the future checking whether Intel AMT remains disabled.
Voilá, you have gotten rid of the Intel AMT components.
But the Intel ME co-processor is still running. Disabling the Intel Management Engine chip has long been a desired goal. If you can point to resources on disabling the Intel ME co-processor for chipsets Haswell and after, please comment below. If your computer has a chipset earlier than Haswell, you can try, at your own risk, these steps.
I’ve a better solution: stop using that crappy Windows O.S. and embrace the FLOSS World 🙂
From what I understand the only way is to flash the chips https://hardenedlinux.github.io/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html
@daemon, Intel ME runs on a separate processor, a black box, with its own RAM. It is a programmable TPM. Only way to get rid of it is to build a machine using Power processors, which can be very expensive. In other words, it is not a software issue, it is a hardware issue. And BTW, Linux is also affected (https://twitter.com/IntelSupport/status/859437569368567811)
Eddie Barcellos – AMD doesn’t use Intel ME.
All AMD CPUs after FX have PSP, which is pretty much the same thing as Intel ME. It also can’t be removed/disabled.
@Eddie Barcellos – the difference is that AMD’s is open source.
From my understanding you can bypass AMT authentication for default admin account or any other known account name.
This can be easy mitigate if you rename default admin account to any random name, this was the first thing I did few years ago after I set up the AMT.
https://postimg.io/image/egta2oog1/
https://postimg.io/image/5ztrrrjr5/
https://postimg.io/image/y1cej7ef5/
Please correct me if I am wrong.
https://forum.pfsense.org/index.php?topic=130046.0
@ecfx, that is good advice but it is not good protection. we don’t even know for sure if the vulnerability requires logging into AMT.
IPV6 ports 49283, 49285
@Ronald, https://software.intel.com/en-us/documentation/amt-reference/manageability-ports does not list said ports?
Eddie Barcellos says:
2017-05-09 at 10:50
@Ronald, https://software.intel.com/en-us/documentation/amt-reference/manageability-ports does not list said ports?
Eddie I know that is why I listed them, run a port monitor program, you will see LMS.exe running on those ports
Ronald Rossi says:
2017-05-13 at 06:01
OK further review would seem that the IPv6 ports are random
Found 49342,49344
49267, 49269
Eddie Barcellos says:
2017-05-09 at 10:50
@Ronald, https://software.intel.com/en-us/documentation/amt-reference/manageability-ports does not list said ports?
Eddie I know that is why I listed them, run a port monitor program, you will see LMS.exe running on those ports
Does it help at all to disable Intel AMT in group policy?
Are Intel Macs vulnerable? If so, how do I go into “BIOS setup” on a Mac?