Community
cancel
Showing results for 
Search instead for 
Did you mean: 
LL4
Beginner
1,101 Views

Intel AMT - quick temporary fix until new BIOS release ?

My quick temporary fix regarding CVE-2017-5689 vulnerability until you can apply a new BIOS update:

Change default admin name account to something random, do not create another admin account:

Is this approach viable if admin account name is unknown to attacker ?

Update 7-05-2017:

This method was confirmed by other professionals to be effective for protecting your computer from remote AMT login !

Renaming default admin name account to something random will protect your computer with AMT active only from other host accessing your AMT computer by LAN or WAN.

It will NOT protect you from login/attack via local interface with LMS access !!!

It is best to use AMT with TLS so connection and traffic will be encrypted and admin name account can't be sniffed !

 

Remember you are still vulnerable from attack via local interface LMS access !!!

If you are looking for 100% protection then follow Intel advisory and unprovison and disable AMT !

 

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

Message was edited by: Lucian L.

0 Kudos
2 Replies
RCarc
Beginner
140 Views

I just set up the following into a domain-logon script to disable and or delete files as suggested in the INTEL-SA-00075 Mitigation Guide. Can someone confirm whether this fix will be enough until we can apply the announced manufacturers' BIOS patches ?

Thanks a lot, Rosario

REM disable Intel AMT and LMS for security reasons

sc config LMS start=disabled

 

sc config jhi_service start=disabled

rem sc delete LMS

 

rem sc delete jhi_service

rem erase /f /s /q "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe"

 

rem erase /f /s /q "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe"

rem or everything in there

 

rem erase /f /s /q "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\*.*"

rem check back and write into log files:

netstat -na | findstr "\<16993\> \<16992\> \<16994\> \<16995\> \<623\> \<664\>" >> c:\temp\intelLMS.log

start c:\windows\IntelLMS\Intel-SA-00075-console.exe -f -p c:\temp\

RCarc
Beginner
140 Views

Sorry I forgot to stop the services before to delete them and checking back, so adding

sc stop LMS

sc stop jhi_service

Reply