Intel vPro® Platform
Intel Manageability Forum (Intel® EMA, AMT, SCS & Manageability Commander)
Announcements
This community is designed for sharing of public information. Please do not share Intel or third-party confidential information here.
2616 Discussions

Are separate Intel gigabit NIC cards a solution to AMT vulnerability?

ppara5
Valued Contributor I
2,458 Views

Assuming I have one of the affected boards (from the link below) and a vPro processor, does AMT still function if I disable onboard networking and add an Intel NIC card?

https://communities.intel.com/message/472155# 472155 https://communities.intel.com/message/472155# 472155

Would it make any difference if the card was PCI or PCIe? I wouldn't think so.

I believe AMT does not function through a Realtek NIC card. Please correct this assumption if I am in error.

And in case it's not obvious, I don't use AMT so disabling it would not present a problem.

0 Kudos
1 Solution
Dariusz_W_Intel
Employee
1,194 Views

Intel AMT requires build in Intel AMT enabled LAN PHY (SKUs with -LM at the end of their description) (and/or AMT enabled WiFi Controller HW) as it provides HW means for OOB TCP/IP stack. If you add any additional LAN HW (does not matter which vendor or what bus) it will not support Intel AMT OOB.

 

Please note that depending on configuration (Host VPN support and Home Domains) Intel AMT when configured may receive messages over other than AMT interfaces when OS is running. So local vulnerability shall be disabled by blocking LMS services - see Mitigation Guide published at https://downloadcenter.intel.com/download/26754 Download INTEL-SA-00075 Mitigation Guide

View solution in original post

2 Replies
Dariusz_W_Intel
Employee
1,195 Views

Intel AMT requires build in Intel AMT enabled LAN PHY (SKUs with -LM at the end of their description) (and/or AMT enabled WiFi Controller HW) as it provides HW means for OOB TCP/IP stack. If you add any additional LAN HW (does not matter which vendor or what bus) it will not support Intel AMT OOB.

 

Please note that depending on configuration (Host VPN support and Home Domains) Intel AMT when configured may receive messages over other than AMT interfaces when OS is running. So local vulnerability shall be disabled by blocking LMS services - see Mitigation Guide published at https://downloadcenter.intel.com/download/26754 Download INTEL-SA-00075 Mitigation Guide
ppara5
Valued Contributor I
1,194 Views

"If you add any additional LAN HW (does not matter which vendor or what bus) it will not support Intel AMT OOB."

Woo-hoo! This is what I hoped for. Thank you very much. Time to peruse the mitigation guide.

Reply