Intel Management Engine Vulnerable

Disabling Intel AMT on Windows (and a simpler CVE-2017-5689 Mitigation Guide)

FINAL UPDATE (2018): Starting with Intel AMT Release 12.0, it is possible to globally disable Intel AMT

UPDATE3: There is now a tool to check whether AMT is enabled and provisioned on Linux systems.

UPDATE2: It gets worse. Much worse. If your Windows laptop runs #IntelAMT, and you enable #WiFi for AMT and you connect to public WiFi AMT is accessible to anyone on that network.

UPDATE1: The vulnerability is now called “SILENT BOB IS SILENT” and is worse than imagined – an attacker can bypass authentication and log on to Intel AMT remotely simply by sending an empty password (a NULL HTTP Digest response). Furthermore,

“The exploit is trival, max five lines of Python, could be doable in one-line shell command. It gives full control of affected machines, including the ability to read and modify everything. It can be used to install persistent malware (possibly in firmware), and read and modify any data. For security servers, it may allow disabling security features, creating fake credentials, or obtaining root keys. …  IT folks, KEEP WORKING THROUGH THE WEEKEND, DISABLE AMT NOW or block access to it. This can get ugly.”


Completely and permanently (unless you re-install it) disable Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability on Windows. These are components of  the Intel Management Engine firmware.

This is especially relevant since a privilege escalation issue affecting Intel ME (CVE-2017-5689) was made public on May 1st. A patch for Linux is forthcoming. This vulnerability was discovered by Embedi.

PS: words within ` ` are commands, you need to copy and paste these commands without the `

1) Download the Intel Setup and Configuration Software (Intel SCS) and extract the files

2) Open up an administrator command prompt and navigate to where you extracted the files in step 1:

  • run `cd Configurator`

3) In the command prompt, run `ACUConfig.exe UnConfigure`. If you get an error, try one of the options below:

  • Unconfiguring a system in ACM without RCS integration:
    `ACUConfig.exe UnConfigure /AdminPassword <password> /Full`
  • Unconfiguring a system with RCS integration:
    `ACUConfig.exe UnConfigure /RCSaddress <RCSaddress> /Full`

4) Still in the command prompt, disable and/or remove LMS (Intel Management and Security Application Local Management Service):

  • `sc config LMS start=disabled`
  • `sc delete LMS`
  • also run `sc qc LMS`, which will either show you the path to LMS.exe or FAIL. If it shows you the path, use Explorer to delete it. If it FAILED, do not be concerned.

5) Reboot your computer.

6) Check if there is still a socket listening on the Intel ME Internet Assigned Names Authority (IANA) ports on the client: 16992, 16993, 16994, 16995, 623, and 664 (you can also do this before you start to verify it is listening. The Intel ME listens even if the Intel AMT GUI shows Intel ME is “Unconfigured”)

  • in a command prompt (does not need to be elevated), run `netstat -na | findstr “\<16993\> \<16992\> \<16994\> \<16995\> \<623\> \<664\>”`

7) The Intel AMT GUI should now show “information unavailable on both remaining tabs” (you might have had 3 or more tabs before going thru the steps above)

 

8) Optionally, you can now delete LMS.exe. It is usually located in “C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS”. You could go further and use Add/Remove Programs to uninstall the AMT GUI, but then you will have a harder time in the future checking whether Intel AMT remains disabled.

Voilá, you have gotten rid of the Intel AMT components.

But the Intel ME co-processor is still running. Disabling the Intel Management Engine chip has long been a desired goal. If you can point to resources on disabling the Intel ME co-processor for chipsets Haswell and after, please comment below. If your computer has a chipset earlier than Haswell, you can try, at your own risk, these steps.

21 Comments

  1. I’ve a better solution: stop using that crappy Windows O.S. and embrace the FLOSS World 🙂

  2. @daemon, Intel ME runs on a separate processor, a black box, with its own RAM. It is a programmable TPM. Only way to get rid of it is to build a machine using Power processors, which can be very expensive. In other words, it is not a software issue, it is a hardware issue. And BTW, Linux is also affected (https://twitter.com/IntelSupport/status/859437569368567811)

  3. All AMD CPUs after FX have PSP, which is pretty much the same thing as Intel ME. It also can’t be removed/disabled.

  4. @ecfx, that is good advice but it is not good protection. we don’t even know for sure if the vulnerability requires logging into AMT.

  5. Are Intel Macs vulnerable? If so, how do I go into “BIOS setup” on a Mac?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.