Vectra has received some inquiries about the recently revealed Intel AMT (Intel Active Management Technology) vulnerability that impacts many Intel systems produced over the last 10 years. This is a critical bug that allows an attacker to get sub-OS privileges on a given machine quite easily. Vectra already covers this recently revealed exploit; a testament to our attacker behavior detection approach.
The Intel AMT vulnerability, now classified as CVE-2017-5689 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689), is a remotely exploitable vulnerability in the Intel chipset that accompanies Intel processors. The chipset is designed to provide platform management capabilities to IT administrators for machines under their control even when system is not running. This makes it similar to IPMI (Intelligent Platform Management Interface) in that it can be used to remotely manage the machine, changing settings and software.
Intel AMT service can be accessed over port 16992 and 16993. Intel AMT uses the HTTP Digest protocol to manage authentication for access to the AMT chipset. This is a challenge and response framework where the hashed user response string is compared to the hashed expected response that the server computes. The vulnerability in question is related to the implementation of the comparison function. The result is that an attacker can easily authenticate to any Intel system using AMT without needing any credentials. Using AMT grants an administrator or attacker many powers including arbitrary code execution, remote control, file reads and writes, BIOS settings changes.
On Vectra’s detection capability:
Vectra is currently able to detect attackers trying to utilize the Intel AMT vulnerability to remotely exploit and take ownership of systems.
The Automated Replication detection looks for nearly identical communications from one host to multiple other hosts on the network. An attacker leveraging the Intel AMT vulnerability is no different. An Automated Replication detection seen on ports 16992 or 16993 would be an indication that an attack leveraging this vulnerability is in place.
The Suspicious Admins detection, which monitors and learns administrative use of ports and protocols and the relationships between admin hosts and their administrative realms, was originally developed to have coverage of the AMT over ports 16992 and 16993.
However, due to an increasing amount of Skype and VOIP traffic seen triggering detections on these ports, coverage for AMT was suspended until a Skype/VOIP traffic filter could be implemented. This task is still in progress however on our roadmap.
More details on the vulnerability are available from the links below: