Community
cancel
Showing results for 
Search instead for 
Did you mean: 
ppara5
Valued Contributor I
1,421 Views

Are separate Intel gigabit NIC cards a solution to AMT vulnerability?

Assuming I have one of the affected boards (from the link below) and a vPro processor, does AMT still function if I add an Intel NIC PCI card?

I believe AMT does not function through a Realtek NIC card, but it'd be nice to know if an Intel NIC card does the same thing.

0 Kudos
4 Replies
idata
Community Manager
139 Views

Hello paramountain,

 

 

Thank you for contacting Intel Communities.

 

 

I recommend running the https://downloadcenter.intel.com/download/26755 INTEL-SA-00075 Detection Guide to check whether your system is affected or not. For more information please refer to the Intel's https://newsroom.intel.com/news/important-security-information-intel-manageability-firmware/ newsroom which refers to this document: https://downloadcenter.intel.com/download/26754 INTEL-SA-00075 Mitigation Guide.

 

 

Please also keep checking the thread you shared: /message/472155# 472155 Intel® Security Advisory regarding escalation of privilege vulnerability in Intel® Active Management Technology (AMT)

 

 

Best Regards,

 

JC

 

n_scott_pearson
Super User Retired Employee
139 Views

Well, presuming that I understand the issue fully, using an add-in NIC will prevent an external entity breaking into a provisioned AMT stack. This add-in NIC can be from any manufacturer; only the NIC built into the chipset (the PHY built into the PCH, in combination with a MAC IC on the baseboard) communicates with the ME and AMT. Going this route, however, will not prevent rogue software that somehow gets executed on your PC from taking over and provisioning your unprovisioned AMT stack. If you have AMT provisioned but use a separate NIC (effectively neutering AMT), you should, in theory (hedging my bets ), be able to avoid both vulnerabilities. Obviously, getting corrected ME firmware is the better way to go and I hope Intel comes through with updated firmware (BIOS) package for these boards.

...S

ppara5
Valued Contributor I
139 Views

As usual, you are a fountain of knowledge, thanks. You might be interested to read the Intel vPro response, reinforcing yours:

"If you add any additional LAN HW (does not matter which vendor or what bus) it will not support Intel AMT OOB."

/thread/114211 https://communities.intel.com/thread/114211

It's interesting that any add-on NIC card -- any vendor, PCI or PCIe -- puts the kabash on AMT, though I do appreciate the issue regarding an unprovisioned AMT stack. I don't think he was referring to an out-of-body experience, however. :-)

n_scott_pearson
Super User Retired Employee
139 Views

It doesn't put the kabash on AMT; it just disconnects AMT from seeing any incoming packets on the LAN; that's what I mean by neutering.

...S

Reply