Q
Problem solve Get help with specific problems with your technologies, process and projects.

How does an Intel AMT flaw enable attackers to gain device access?

A vulnerability in Intel AMT enables attackers to gain remote access to PCs and devices. Expert Judith Myerson explains how the attack works and what can be done to prevent it.

Intel warned of a firmware vulnerability in its Active Management Technology, or AMT, that could allow an attacker...

to gain access to PCs or devices. How can this happen? Can the firmware be updated?

Intel's Active Management Technology is included in Intel Xeon processors in nonconsumer workstations and servers running Windows and Linux operating systems. It is a component of the Management Engine (ME) firmware that enables management and security features, including firewalls, Active Directory, logging and intrusion detection. The ME can be active even while the server is powered off.

In February 2017, Maksim Malyutin, a researcher at Embedi, disclosed a firmware vulnerability in Intel AMT. Malyutin was able to bypass authentication to gain control of a remote PC. On March 3, 2017, Intel published its advisory about the flaw. The vulnerability ran as a backdoor silently for nine years until Intel received the report from Embedi.

According to a vulnerability note from the CERT Division of Carnegie Mellon University, Intel AMT listens for remote commands on several known ports, including ports 16992 and 16993 Intel scans. Other ports that may be used by Intel AMT include 16994 and 16995, 623 and 664. Cloud server hardware often has AMT enabled. An attacker can gain control of every virtual machine, container and database running on the physical server. Some firewalls and security appliances have open Intel AMT  ports.

Fujitsu has published a patched version of the firmware for certain models. Until other vendors publish firmware patches, here are some tips to mitigate the vulnerability:

  • Disable Intel AMT on critical servers, such as firewalls, security servers and Active Directory.
  • Block ports 16992 through 16995, 623 and 624 in internal firewalls. The last port is Crypto Admin; others are AMT-related.
  • Work with an open source detection tool for Linux.
  • Use netstat -an to check for listening ports.

Ask the Expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how IoT challenges firmware developers

Read about the increase in security issues for enterprises because of firmware

Find out how firmware created a backdoor in certain Android devices

This was last published in July 2017

Dig Deeper on Network device security: Appliances, firewalls and switches

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What's your take on the recent security issues with Intel's AMT?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close