https://community.intel.com/t5/Intel-vPro-Platform/AMT-vulnerability/m-p/558124#M6479 <P>I am looking to find some concrete information on what steps will need to be taken in order to mitigate the AMT vulnerability (CVE-2017-5689) in our environment and would appreciate any help/information that can be provided.</P><P></P><OL><LI>We have never provisioned Intel AMT. Does this mean we are not vulnerable, or does the existence of AMT in the BIOS automatically make a device vulnerable to exploit?</LI><LI>I do see the UNS and LMS services running on well over a hundred devices in our environment. Does any potential exploit target these services? Will simply disabling these services mitigate any vulnerability?</LI><LI>We have many devices that I am sure have AMT that appear not to have these services even installed. Are they vulnerable?</LI></OL><P></P><P>My goal is to not have to update the BIOS on 1500 or more systems, especially since we have never made use of AMT. If I can simply disable services on devices by script within Windows, and ignore devices that don't have the services, that is the ideal outcome.</P><P></P><P>Thank you for any help provided.</P><P></P><P></P><P>Sean</P> Tue, 23 Jan 2018 16:25:39 GMT SBohl1 2018-01-23T16:25:39Z https://community.intel.com/t5/Intel-vPro-Platform/AMT-vulnerability/m-p/558124#M6479 <P>I am looking to find some concrete information on what steps will need to be taken in order to mitigate the AMT vulnerability (CVE-2017-5689) in our environment and would appreciate any help/information that can be provided.</P><P></P><OL><LI>We have never provisioned Intel AMT. Does this mean we are not vulnerable, or does the existence of AMT in the BIOS automatically make a device vulnerable to exploit?</LI><LI>I do see the UNS and LMS services running on well over a hundred devices in our environment. Does any potential exploit target these services? Will simply disabling these services mitigate any vulnerability?</LI><LI>We have many devices that I am sure have AMT that appear not to have these services even installed. Are they vulnerable?</LI></OL><P></P><P>My goal is to not have to update the BIOS on 1500 or more systems, especially since we have never made use of AMT. If I can simply disable services on devices by script within Windows, and ignore devices that don't have the services, that is the ideal outcome.</P><P></P><P>Thank you for any help provided.</P><P></P><P></P><P>Sean</P> Tue, 23 Jan 2018 16:25:39 GMT https://community.intel.com/t5/Intel-vPro-Platform/AMT-vulnerability/m-p/558124#M6479 SBohl1 2018-01-23T16:25:39Z https://community.intel.com/t5/Intel-vPro-Platform/AMT-vulnerability/m-p/558125#M6480 <P>As an update to this request for information, I found that even after running the mitigation tool against a device and taking the following three steps, unprovision (which it reported that it was never provisioned, as it should), disable client remote capabilities, and disable LMS services, and then re-running the discovery the device is still being reported as vulnerable. Is the mitigation tool not intelligent enough to determine that mitigation steps have been taken, or is there still a problem?</P><P></P><P>Again, thank you for any assistance.</P><P></P><P></P><P>Sean</P> Wed, 24 Jan 2018 16:08:22 GMT https://community.intel.com/t5/Intel-vPro-Platform/AMT-vulnerability/m-p/558125#M6480 SBohl1 2018-01-24T16:08:22Z https://community.intel.com/t5/Intel-vPro-Platform/AMT-vulnerability/m-p/558126#M6481 <P>Hi Sean,</P><P>&nbsp;</P><P>&nbsp;</P>My understanding from your post is that your goal is to not have to update the BIOS on 1500+ systems and that you have run the detection and mitigation tool for Intel SA-00075. While performing the mitigation steps will help, your systems will still be considered vulnerable (even when re-running the tool against mitigated systems) until the firmware update for SA-00075 has been applied.<P>&nbsp;</P><P>&nbsp;</P>I could not tell from your post if you use a central management tool in your environment, like SCCM. There are methods for performing queries of your environment to determine systems that are vulnerable and then create a task to update the firmware.<P>&nbsp;</P><P>&nbsp;</P>Referencing one post that might be helpful:<P>&nbsp;</P><A href="https://communities.intel.com/thread/120105">https://communities.intel.com/thread/120105</A> <A href="https://communities.intel.com/thread/120105">https://communities.intel.com/thread/120105</A><P>&nbsp;</P><P>&nbsp;</P>Please let me know if there is anything further I can assist with.<P>&nbsp;</P><P>&nbsp;</P>Regards,<P>&nbsp;</P>Michael A<P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> <A href="https://downloadcenter.intel.com/download/26755">https://downloadcenter.intel.com/download/26755</A> Fri, 26 Jan 2018 21:42:28 GMT https://community.intel.com/t5/Intel-vPro-Platform/AMT-vulnerability/m-p/558126#M6481 idata 2018-01-26T21:42:28Z https://community.intel.com/t5/Intel-vPro-Platform/AMT-vulnerability/m-p/558127#M6482 <P>Hi Sean,</P><P>&nbsp;</P><P>&nbsp;</P>Checking to see if you had further questions.<P>&nbsp;</P> <P>Regards,</P><P>&nbsp;</P>Michael Thu, 01 Feb 2018 21:47:04 GMT https://community.intel.com/t5/Intel-vPro-Platform/AMT-vulnerability/m-p/558127#M6482 idata 2018-02-01T21:47:04Z