10
CVSSv2

CVE-2017-5689

Published: 02/05/2017 Updated: 03/10/2019
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT).

Vulnerability Trend

Affected Products

Vendor Product Versions
IntelActive Management Technology Firmware6.0, 6.1, 6.2, 7.0, 7.1, 8.0, 8.1, 9.0, 9.1, 9.5, 10.0, 11.0, 11.5, 11.6

Vendor Advisories

On May 1st, 2017, Intel released a security advisory titled Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege, also known as INTEL-SA-00075 The advisory details a vulnerability in the Intel Active Management (AMT), Intel Small Business (ISB), and Intel Standard Manageabi ...
A security vulnerability has been discovered in Intel’s manageability firmware that impacts all Intel OEMs This vulnerability is a security flaw that originated in the development and deployment of Intel's Manageability firmware The vulnerability affects some of HP’s commercial PCs, 2 consumer PCs, workstations, thin clients, and retail poin ...
Summary There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6x, 7x, 8x 9x, 10x, 110, 115, and 116 that can allow an unprivileged attacker to gain control of the manageability features provided ...
Oracle Critical Patch Update Advisory - July 2017 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous C ...

Exploits

#!/usr/bin/python # -*- coding: utf-8 -*- # Author: Nixawk # CVE-2017-5689 = { # dork="Server: Intel(R) Active Management Technology" port:"16992", # ports=[ # 623, # 664, # 16992, # 16993, # 16994, # 16995 # ] # products=[ # Active Management Technolo ...

Nmap Scripts

http-vuln-cve2017-5689

Detects if a system with Intel Active Management Technology is vulnerable to the INTEL-SA-00075 privilege escalation vulnerability (CVE2017-5689).

nmap -p 16992 --script http-vuln-cve2017-5689 <target>

PORT STATE SERVICE REASON 16992/tcp open amt-soap-http syn-ack | http-vuln-cve2017-5689: | VULNERABLE: | Intel Active Management Technology INTEL-SA-00075 Authentication Bypass | State: VULNERABLE | IDs: CVE:CVE-2017-5689 BID:98269 | Risk factor: High CVSSv2: 10.0 (HIGH) (AV:N/AC:L/AU:N/C:C/I:C/A:C) | Intel Active Management Technology is vulnerable to an authentication bypass that | can be exploited by performing digest authentication and sending a blank response | digest parameter. | | Disclosure date: 2017-05-01 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689 | https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr | http://www.securityfocus.com/bid/98269 | https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf | https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability |_ https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability

Metasploit Modules

Intel AMT Digest Authentication Bypass Scanner

This module scans for Intel Active Management Technology endpoints and attempts to bypass authentication using a blank HTTP digest (CVE-2017-5689). This service can be found on ports 16992, 16993 (tls), 623, and 624 (tls).

msf > use auxiliary/scanner/http/intel_amt_digest_bypass
      msf auxiliary(intel_amt_digest_bypass) > show actions
            ...actions...
      msf auxiliary(intel_amt_digest_bypass) > set ACTION <action-name>
      msf auxiliary(intel_amt_digest_bypass) > show options
            ...show and set options...
      msf auxiliary(intel_amt_digest_bypass) > run

Github Repositories

Detection Script for CVE-2017-5689 Usage: CVE-2017-5689_detectorpy &lt;IP Addr/range&gt; Example: CVE-2017-5689_detectorpy 1921681253-255 Advisory: security-centerintelcom/advisoryaspx?intelid=INTEL-SA-00075

Intel AMT authentication bypass example This is a Proof-of-Concept code that demonstrates the exploitation of the CVE-2017-5689 vulnerability It is essentialy a mitmproxy script that simply blanks an Authorization header "response" field Example usage: mitmdump -p 8080 -dd --no-http2 -s blank_auth_responsepy

intel_amt_bypass simple POC for CVE-2017-5689 usage: python amibypasspy xxxx

Disable Intel AMT Tool to disable Intel AMT on Windows Runs on both x86 and x64 Windows operating systems Download: DisableAMTexe DisableAMTzip What? On 02 May 2017, Embedi discovered "an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firm

amt-bypass-test Small script to test if a machine is vulnerable to intel AMT auth bypass (CVE-2017-5689)

Honeypot for Intel's AMT Firmware Vulnerability CVE-2017-5689 Webserver that listens on TCP port 16992 Replicates the behaviour of Intel's AMT management service If successfully exploited, content pulled from a HP machine is served to the attacker Building - # go build servergo Running - # /server logfiletxt TODO Daemonize Add templating to make content dyna

cve2017-5689 This script scan host that have CVE-2017-5689 Ref: How to check whether AMT is enabled and provisioned under Linux (method #2)

CVE-2017-5689(aka AMT-AUTHBYPASS) checker

AMT status checker for Linux A simple tool that tells you whether AMT is enabled and provisioned on Linux systems Requires that the mei_me driver (part of the upstream kernel) be loaded Building Run make Running sudo /mei-amt-check If run on a system with no AMT, output will look like: Intel AMT: DISABLED If AMT is enabled but not provisioned, output will look like: Intel

INTEL-SA-00075-Linux-Detection-And-Mitigation-Tools Summary: There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6x, 7x, 8x 9x, 10x, 110, 115, and 116 that can allow an unprivileged attacker to gain control of the m

Awesome Shodan Search Queries Based on a blog post at jarvis/notes/shodan-search-queries/ Over time, I've collected an assortment of interesting, funny, and depressing search queries to plug into Shodan, the (literal) internet search engine Some return facepalm-inducing results, while others return serious and/or ancient vulnerabilities in the wild Most

Awesome Honeypots A curated list of awesome honeypots, plus related components and much more, divided into categories such as Web, services, and others, with a focus on free and open source projects There is no pre-established order of items in each category, the order is for contribution If you want to contribute, please read the guide Discover more awesome lists at sindre

Autosploit = Automating Metasploit Modules Execute MSF Modules on a target machine MS08_067 MS17_010 MS03_026 MS12_020 MS10_061 MS09_050 MS06_040 MS05_039 MS12_020 OSVDB-73573 CVE-2017-5689 CVE-2012-1823 CVE-2006-2369 CVE-2009-3843 SMB Session Pipe Auditor Gathering GPP Saved Passwords Checks for multiple auxiliary modules Execute MSF Modules on a target machine if applicati

Awesome Honeypots A curated list of awesome honeypots, plus related components and much more, divided into categories such as Web, services, and others, with a focus on free and open source projects There is no pre-established order of items in each category, the order is for contribution If you want to contribute, please read the guide Discover more awesome lists at sindre

Awesome Honeypots A curated list of awesome honeypots, plus related components and much more, divided into categories such as Web, services, and others, with a focus on free and open source projects There is no pre-established order of items in each category, the order is for contribution If you want to contribute, please read the guide Discover more awesome lists at sindre

Name Description CVE-2015-5531 Directory traversal vulnerability in Elasticsearch before 161 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls CVE-2016-1909 Fortinet FortiAnalyzer before 5012 and 52x before 525; FortiSwitch 33x before 333; FortiCache 30x before 308; and FortiOS 41x before 4111, 42x

Name Description CVE-2015-5531 Directory traversal vulnerability in Elasticsearch before 161 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls CVE-2016-1909 Fortinet FortiAnalyzer before 5012 and 52x before 525; FortiSwitch 33x before 333; FortiCache 30x before 308; and FortiOS 41x before 4111, 42x

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

Intel Confirms Its Much-Loathed ME Feature Has A Kill Switch
Threatpost • Tom Spring • 30 Aug 2017

Researchers at Positive Technologies forced Intel’s hand at revealing that a previously undocumented kill switch exists for its oft-criticized Intel Management Engine, a remote management component of Intel CPUs.
Initially, Positive Technologies set out to disable the feature that some security professionals have deemed a risk. Researchers did create a unofficial workaround dubbed ‘ME Cleaner’, which cripples the feature, but does not eliminate it.
In response to Positive Techn...

Researchers Find a Way to Disable Much-Hated Intel ME Component Courtesy of the NSA
BleepingComputer • Catalin Cimpanu • 28 Aug 2017

Researchers from Positive Technologies — a provider of enterprise security solutions — have found a way to disable the Intel Management Engine (ME), a much-hated component of Intel CPUs.
Intel ME is a separate processor embedded with Intel CPUs that runs its own operating system complete with processes, threads, memory manager, hardware bus driver, file system, and many other components.
Intel has always advertised Intel ME as a way for companies to manage computers running on th...

Siemens Patches Critical Intel AMT Flaw in Industrial Products
Threatpost • Chris Brook • 30 Jun 2017

Siemens patched two critical vulnerabilities that affected its industrial products this week. One, tied to a recently disclosed flaw in Active Management Technology – a function of certain Intel processors – could have allowed an attacker to gain system privileges. Another vulnerability could have let an attacker upload and execute arbitrary code.
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned about both vulnerabilitie...

Dell to patch AMT-vulnerable systems
The Register • Richard Chirgwin • 07 May 2017

BIOS fixes for most boxen promised Friday

Dell, which last week was scrambling to work out which of its systems are affected by the Intel AMT vulnerability, is scrambling to catch up with peers HP Inc, Lenovo and Fujitsu.
In a note published on Friday, the company said it would publish firmware fixes for most vulnerable kit.
As readers should already know, Intel introduced the bug in 2010, and it turned out that an attacker need only offer an empty login string to Chipzilla's VPro AMT remote management firmware to access vul...

How to remote hijack computers using Intel's insecure chips: Just use an empty login string
The Register • Chris Williams, Editor in Chief • 05 May 2017

Exploit to pwn systems using vPro and AMT

Code dive You can remotely commandeer and control computers that use vulnerable Intel chipsets by sending them empty authentication strings.
You read that right. When you're expected to send a password hash, you send zero bytes. Nothing. Nada. And you'll be rewarded with powerful low-level access to a vulnerable box's hardware from across the network – or across the internet if the management interface faces the public web.
Remember that the next time Intel, a $180bn international ...

Researchers Disclose Intel AMT Flaw Research
Threatpost • Tom Spring • 05 May 2017

On Friday, just as Intel released additional information regarding a critical flaw found earlier this week in a subset of its business-class PCs, the researchers behind the initial vulnerability discovery, Embedi, also published their research on the flaw.
Intel warned Monday of a firmware vulnerability in certain systems that utilize its Active Management Technology (AMT) that could allow an adversary to elevate privileges on a vulnerable system. The flaw (CVE-2017-5689) could allow an at...

Researcher: ‘Baseless Assumptions’ Exist About Intel AMT Vulnerability
Threatpost • Tom Spring • 03 May 2017

Researchers at Embedi who found the critical Active Management Technology (AMT) flaw in Intel chips said in a blog published today there were “a tremendous amount of baseless assumptions” being made about the vulnerability.
According Embedi CTO Dmitry Evdokimov, an information vacuum has predictably sparked false assumptions about the vulnerability, otherwise known as Intel Standard Manageability Escalation of Privilege – INTEL-SA-00075 (CVE-2017-5689).
For starters, the date ...

Intel Fixes 9-Year-Old CPU Flaw That Allows Remote Code Execution
BleepingComputer • Catalin Cimpanu • 02 May 2017

Intel's security team released a series of patches yesterday that fix a remote code execution (RCE) bug found in the Intel Management Engine (ME).
The RCE bug affects Intel ME technologies such as Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT).
All of these are technologies that allow a systems administrator to manage workstations remotely over a network, via ports 16992 or 16993. These features are not found in...

Red alert! Intel patches remote execution hole that's been hidden in chips since 2010
The Register • Chris Williams, Editor in Chief • 01 May 2017

Vuln reported in March, now fix is coming...

Updated For the past seven years, millions of Intel chips have harbored a security flaw that can be potentially exploited to remotely control and infect systems with spyware.
Specifically, the bug is in Intel's Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows "an unprivileged attacker to gain control of the manageability features provided by these products."