Assuming I have one of the affected boards (from the link below) and a vPro processor, does AMT still function if I add an Intel NIC PCI card?
I believe AMT does not function through a Realtek NIC card, but it'd be nice to know if an Intel NIC card does the same thing.
Thank you for contacting Intel Communities.
I recommend running the https://downloadcenter.intel.com/download/26755 INTEL-SA-00075 Detection Guide to check whether your system is affected or not. For more information please refer to the Intel's https://newsroom.intel.com/news/important-security-information-intel-manageability-firmware/ newsroom which refers to this document: https://downloadcenter.intel.com/download/26754 INTEL-SA-00075 Mitigation Guide.
Please also keep checking the thread you shared: /message/472155# 472155 Intel® Security Advisory regarding escalation of privilege vulnerability in Intel® Active Management Technology (AMT)
Well, presuming that I understand the issue fully, using an add-in NIC will prevent an external entity breaking into a provisioned AMT stack. This add-in NIC can be from any manufacturer; only the NIC built into the chipset (the PHY built into the PCH, in combination with a MAC IC on the baseboard) communicates with the ME and AMT. Going this route, however, will not prevent rogue software that somehow gets executed on your PC from taking over and provisioning your unprovisioned AMT stack. If you have AMT provisioned but use a separate NIC (effectively neutering AMT), you should, in theory (hedging my bets ), be able to avoid both vulnerabilities. Obviously, getting corrected ME firmware is the better way to go and I hope Intel comes through with updated firmware (BIOS) package for these boards.
As usual, you are a fountain of knowledge, thanks. You might be interested to read the Intel vPro response, reinforcing yours:
"If you add any additional LAN HW (does not matter which vendor or what bus) it will not support Intel AMT OOB."
It's interesting that any add-on NIC card -- any vendor, PCI or PCIe -- puts the kabash on AMT, though I do appreciate the issue regarding an unprovisioned AMT stack. I don't think he was referring to an out-of-body experience, however. :-)
It doesn't put the kabash on AMT; it just disconnects AMT from seeing any incoming packets on the LAN; that's what I mean by neutering.