2 Replies Latest reply on May 12, 2017 9:53 AM by Rosario2

    Intel AMT - quick temporary fix until new BIOS release ?

    LucianoL

      My quick temporary fix regarding CVE-2017-5689 vulnerability until you can apply a new BIOS update:

       

      Change default admin name account to something random, do not create another admin account:

       

      AMT-ca1.jpgAMT-ca2.jpgAMT-ca3.jpg

       

      Is this approach viable if admin account name is unknown to attacker ?

       

      Update 7-05-2017:

      This method was confirmed by other professionals to be effective for protecting your computer from remote AMT login !

       

      Renaming default admin name account to something random will protect your computer with AMT active only from other host accessing your AMT computer by LAN or WAN.

       

      It will NOT protect you from login/attack via local interface with LMS access !!!

      It is best to use AMT with TLS so connection and traffic will be encrypted and admin name account can't be sniffed !

       


      Remember you are still vulnerable from attack via local interface LMS access !!!

       

      If you are looking for 100% protection then follow Intel advisory and unprovison and disable AMT !
      https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

       

      Message was edited by: Lucian L.

        • 1. Re: Intel AMT - quick temporary fix until new BIOS release ?
          Rosario2

          I just set up the following into a domain-logon script to disable and or delete files as suggested in the INTEL-SA-00075 Mitigation Guide. Can someone confirm whether this fix will be enough until we can apply the announced manufacturers' BIOS patches ?

           

          Thanks a lot, Rosario

           

          REM disable Intel AMT and LMS for security reasons

          sc config LMS start=disabled
          sc config jhi_service start=disabled

          rem sc delete LMS
          rem sc delete jhi_service

          rem erase /f /s /q "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe"
          rem erase /f /s /q "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe"

          rem or everything in there
          rem erase /f /s /q "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\*.*"

           

          rem check back and write into log files:

          netstat -na | findstr "\<16993\> \<16992\> \<16994\> \<16995\> \<623\> \<664\>" >> c:\temp\intelLMS.log

          start c:\windows\IntelLMS\Intel-SA-00075-console.exe -f -p c:\temp\

          • 2. Re: Intel AMT - quick temporary fix until new BIOS release ?
            Rosario2

            Sorry I forgot to stop the services before to delete them and checking back, so adding

             

            sc stop LMS

            sc stop jhi_service