4 Replies Latest reply on May 9, 2017 3:35 PM by N.Scott.Pearson

Are separate Intel gigabit NIC cards a solution to AMT vulnerability?

paramountain May 7, 2017 8:32 PM

Assuming I have one of the affected boards (from the link below) and a vPro processor, does AMT still function if I add an Intel NIC PCI card?

Intel® Security Advisory regarding escalation of privilege vulnerability in Intel® Active Management Technology (AMT)

I believe AMT does not function through a Realtek NIC card, but it'd be nice to know if an Intel NIC card does the same thing.

1. Re: Are separate Intel gigabit NIC cards a solution to AMT vulnerability?

May 8, 2017 11:07 AM (in response to paramountain)

This message was posted on behalf of Intel Corporation

Hello paramountain,

Thank you for contacting Intel Communities.

I recommend running the INTEL-SA-00075 Detection Guide to check whether your system is affected or not. For more information please refer to the Intel's newsroom which refers to this document: INTEL-SA-00075 Mitigation Guide.

Please also keep checking the thread you shared: Intel® Security Advisory regarding escalation of privilege vulnerability in Intel® Active Management Technology (AMT)

Best Regards,
JC
Like Show 0 Likes(0)

Actions
2. Re: Are separate Intel gigabit NIC cards a solution to AMT vulnerability?

N.Scott.Pearson May 8, 2017 3:34 PM (in response to Intel Corporation)

Well, presuming that I understand the issue fully, using an add-in NIC will prevent an external entity breaking into a provisioned AMT stack. This add-in NIC can be from any manufacturer; only the NIC built into the chipset (the PHY built into the PCH, in combination with a MAC IC on the baseboard) communicates with the ME and AMT. Going this route, however, will not prevent rogue software that somehow gets executed on your PC from taking over and provisioning your unprovisioned AMT stack. If you have AMT provisioned but use a separate NIC (effectively neutering AMT), you should, in theory (hedging my bets ), be able to avoid both vulnerabilities. Obviously, getting corrected ME firmware is the better way to go and I hope Intel comes through with updated firmware (BIOS) package for these boards.

...S

1 of 1 people found this helpful
Like Show 0 Likes(0)

Actions
3. Re: Are separate Intel gigabit NIC cards a solution to AMT vulnerability?

paramountain May 9, 2017 10:23 AM (in response to N.Scott.Pearson)

As usual, you are a fountain of knowledge, thanks. You might be interested to read the Intel vPro response, reinforcing yours:

"If you add any additional LAN HW (does not matter which vendor or what bus) it will not support Intel AMT OOB."
https://communities.intel.com/thread/114211

It's interesting that any add-on NIC card -- any vendor, PCI or PCIe -- puts the kabash on AMT, though I do appreciate the issue regarding an unprovisioned AMT stack. I don't think he was referring to an out-of-body experience, however. :-)
Like Show 0 Likes(0)

Actions
4. Re: Are separate Intel gigabit NIC cards a solution to AMT vulnerability?

N.Scott.Pearson May 9, 2017 3:35 PM (in response to paramountain)

It doesn't put the kabash on AMT; it just disconnects AMT from seeing any incoming packets on the LAN; that's what I mean by neutering.
...S
Like Show 0 Likes(0)

Actions

Go to original post