Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2834 Discussions

Are separate Intel gigabit NIC cards a solution to AMT vulnerability?

ppara5
Valued Contributor I
‎05-08-2017 11:10 AM
3,734 Views
Solved Jump to solution

Assuming I have one of the affected boards (from the link below) and a vPro processor, does AMT still function if I disable onboard networking and add an Intel NIC card?

https://communities.intel.com/message/472155# 472155 https://communities.intel.com/message/472155# 472155

Would it make any difference if the card was PCI or PCIe? I wouldn't think so.

I believe AMT does not function through a Realtek NIC card. Please correct this assumption if I am in error.

And in case it's not obvious, I don't use AMT so disabling it would not present a problem.

0 Kudos
1 Solution
Dariusz_W_Intel
Employee
‎05-08-2017 02:25 PM
2,470 Views
Solved Jump to solution

Intel AMT requires build in Intel AMT enabled LAN PHY (SKUs with -LM at the end of their description) (and/or AMT enabled WiFi Controller HW) as it provides HW means for OOB TCP/IP stack. If you add any additional LAN HW (does not matter which vendor or what bus) it will not support Intel AMT OOB.

 

Please note that depending on configuration (Host VPN support and Home Domains) Intel AMT when configured may receive messages over other than AMT interfaces when OS is running. So local vulnerability shall be disabled by blocking LMS services - see Mitigation Guide published at https://downloadcenter.intel.com/download/26754 Download INTEL-SA-00075 Mitigation Guide

View solution in original post

Copy link

Link Copied

2 Replies
Dariusz_W_Intel
Employee
‎05-08-2017 02:25 PM
2,471 Views
Solved Jump to solution

Intel AMT requires build in Intel AMT enabled LAN PHY (SKUs with -LM at the end of their description) (and/or AMT enabled WiFi Controller HW) as it provides HW means for OOB TCP/IP stack. If you add any additional LAN HW (does not matter which vendor or what bus) it will not support Intel AMT OOB.

 

Please note that depending on configuration (Host VPN support and Home Domains) Intel AMT when configured may receive messages over other than AMT interfaces when OS is running. So local vulnerability shall be disabled by blocking LMS services - see Mitigation Guide published at https://downloadcenter.intel.com/download/26754 Download INTEL-SA-00075 Mitigation Guide
Copy link
ppara5
Valued Contributor I
‎05-08-2017 04:39 PM
2,470 Views
Solved Jump to solution
In response to Dariusz_W_Intel

"If you add any additional LAN HW (does not matter which vendor or what bus) it will not support Intel AMT OOB."

Woo-hoo! This is what I hoped for. Thank you very much. Time to peruse the mitigation guide.

In response to Dariusz_W_Intel
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.