Community
cancel
Showing results for 
Search instead for 
Did you mean: 
ppara5
Valued Contributor I
1,870 Views

Are separate Intel gigabit NIC cards a solution to AMT vulnerability?

Jump to solution

Assuming I have one of the affected boards (from the link below) and a vPro processor, does AMT still function if I disable onboard networking and add an Intel NIC card?

https://communities.intel.com/message/472155# 472155 https://communities.intel.com/message/472155# 472155

Would it make any difference if the card was PCI or PCIe? I wouldn't think so.

I believe AMT does not function through a Realtek NIC card. Please correct this assumption if I am in error.

And in case it's not obvious, I don't use AMT so disabling it would not present a problem.

0 Kudos
1 Solution
Dariusz_W_Intel
Employee
604 Views

Intel AMT requires build in Intel AMT enabled LAN PHY (SKUs with -LM at the end of their description) (and/or AMT enabled WiFi Controller HW) as it provides HW means for OOB TCP/IP stack. If you add any additional LAN HW (does not matter which vendor or what bus) it will not support Intel AMT OOB.

 

Please note that depending on configuration (Host VPN support and Home Domains) Intel AMT when configured may receive messages over other than AMT interfaces when OS is running. So local vulnerability shall be disabled by blocking LMS services - see Mitigation Guide published at https://downloadcenter.intel.com/download/26754 Download INTEL-SA-00075 Mitigation Guide

View solution in original post

2 Replies
Dariusz_W_Intel
Employee
605 Views

Intel AMT requires build in Intel AMT enabled LAN PHY (SKUs with -LM at the end of their description) (and/or AMT enabled WiFi Controller HW) as it provides HW means for OOB TCP/IP stack. If you add any additional LAN HW (does not matter which vendor or what bus) it will not support Intel AMT OOB.

 

Please note that depending on configuration (Host VPN support and Home Domains) Intel AMT when configured may receive messages over other than AMT interfaces when OS is running. So local vulnerability shall be disabled by blocking LMS services - see Mitigation Guide published at https://downloadcenter.intel.com/download/26754 Download INTEL-SA-00075 Mitigation Guide

View solution in original post

ppara5
Valued Contributor I
604 Views

"If you add any additional LAN HW (does not matter which vendor or what bus) it will not support Intel AMT OOB."

Woo-hoo! This is what I hoped for. Thank you very much. Time to peruse the mitigation guide.

Reply