Intel AMT Vulnerability: How Tanium Can Help

Chris Kachigian Posted on 05.05.17 — by Chris Kachigian

When Intel revealed a critical security advisory May 1 addressing a flaw in its remote management system affecting millions of chipsets, the Technical Account Management team at Tanium sprang into action to help our customers. Here, TAM director Chris Kachigian reveals what this vulnerability means to your business and how to use Tanium to quickly discover the issue.

A flaw in Intel’s remote management system could give attackers a path to gain full control of your network. The vulnerability, which has existed in millions of Intel chipsets since 2010, affects its Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability.

By exploiting the vulnerability, hackers can control a computer’s hardware and remotely administer machines, and escalate an attack across your entire network. According to security expert Matthew Garrett, the vulnerable AMT service is part of Intel’s vPro suite of processor features. However, Garrett notes, “merely having a “vPRO” CPU and chipset isn’t sufficient – your system vendor also needs to have licensed the AMT code.”

Basically, anyone using a machine with certain vPro and AMT features is at risk. Newer Apple Macs, which use Intel chips, but don’t ship with the AMT firmware and are not at risk.

On May 1, Intel issued a critical security advisory and firmware update to address the vulnerability, identified as CVE-2017-5689. We quickly reviewed the Intel SA-00075 Detection guide and developed a response using Tanium to help you locate the vulnerability using the Intel SA-00075 Risk Sensor and Intel SA-00075 Exposure Sensor. Tanium provides the capabilities to search at speed and scale across the enterprise for artifacts related to this vulnerability. Intel recommends using the their detection guide to find vPro systems with CPUs containing AMT firmware their environment. Tanium is using methods described in the Intel SA-00075 Detection Guide.

Here’s what you need to know.

What is vulnerable?

A system must have Intel CPU with an Active Management SKU and a firmware version between 6 and 11.6 with a build not beginning with 3 (Example: 9.5.22.1760, page 2, Intel SA-00075 Detection Guide) to be deemed vulnerable.  In an updated advisory on May 5, Intel stated consumer PCs with consumer firmware and business workstation and servers using E3 & E5 Xeon processors and SPS firmware are not affected.

How do you use Tanium to detect the Intel vulnerability?

Import the Intel-AMT content (Provided to Tanium customers by your TAM).

When using the MSI (Installing new software is acceptable by the customer):

  1. Download the MSI from: https://downloadcenter.intel.com/download/26755
  2. Import the MSI into “Install Intel SA-00075 Discovery Tool MSI” package
  3. Note: the package is written in such a way to use the MSI file no matter its name. No field edits are needed.  It just needs to have the MSI extension else it will not work.
  4. Deploy the installer package “Install Intel SA-00075 Discovery Tool MSI” using the recommended targeting
    1. Get Online from all machines with ( Is Virtual = “No” and CPU containing “Intel” and Operating System containing “Windows” )
  5. Run the scan package: “Install Intel SA-00075 Discovery Tool Scan”
    1. Get Online from all machines with ( Is Virtual = “No” and CPU containing “Intel” and Operating System containing “Windows” )
  6. Go to the Intel AMT SA-00075 dashboard or run the sensors manually to get data.

When using the zip and original package (Installing new software is NOT acceptable)

  1. Download the MSI from: https://downloadcenter.intel.com/download/26755
  2. Open a command prompt and change to the directory with the downloaded MSI
  3. To extract the files from the MSI run the following command but modify the path accordingly:
    1. “msiexec /a discoveryToolInstaller_1.0.1.39.msi /qb TARGETDIR=C:\Users\chris\Desktop\test\extracted\”
  4. Browse to the extracted contents folder (3 levels deep) to the sample path:
    1. C:\Users\chris\Desktop\test\extracted\PFiles\Intel\Intel-SA-00075 Discovery Tool\
  5. Select the Licenses and Windows folder, then add them to a zip file
  6. When using build 22 (1.0.0.0052-g3df15d8) or later, you can just add/replace the zip file in the original scan package named “Intel-SA-00075 Scan”
  7. Deploy the “Intel-SA-00075 Scan” package using the recommended targeting
    1. Get Online from all machines with ( Is Virtual = “No” and CPU containing “Intel” and Operating System containing “Windows” )
  8. Go to the Intel AMT SA-00075 dashboard or run the sensors manually to get data.

NOTE: This has been tested and validated with Intel SA-00075 Discovery Tool versions 1.0.1.6 and 1.0.1.39.

When Intel revealed a critical security advisory May 1 addressing a flaw in its remote management system affecting millions of chipsets, the Technical Account Management team at Tanium sprang into action to help our customers. Here, TAM director Chris Kachigian reveals what this vulnerability means to your business and how to use Tanium to quickly discover the issue.

Learn more:

Note to Tanium customers: for additional information please contact your TAM.

(Editor’s Note: This blog post was updated on May 22 to reflect new guidelines.)