AttackerKBAKB:5355349E-B12C-4352-8564-6886EE50CE60CVE-2017-5689
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.974 High
EPSS
Percentile
99.9%
An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT).
Recent assessments:
theguly at March 02, 2020 9:30am UTC reported:
as stated on CVE details, this vulnerability let an attacker to bypass authentication on AMT and reach web panel as admin.
at first glance this vulnerability looks not that useful, because โ at least from my tests โ by bypassing authentication you can:
-
reboot/shutdown/poweron the host
-
boot from alternative devices, for example PXE
-
other โuselessโ stuff
and if in theory running a live system to access original host filesystem to exfiltrate hashes/data could be awesome, iโve seen no engagement where you can actually reboot a box without heavy issue from the owner. because AMT works also when the host is shutdown, it could be interesting to poweron an inactive host and take full control of it, but we have another options:
(un)fortunately, AMT also let a user to access using KVM, so an attacker can use (or leech at) a running interactive session.
the bypass is very easy, just specify response=โโ in Authorization header, and can also be automated on any intercepting proxy like burp or zap, so you could route all your traffic to burp and have the auth bypass
what iโve tested so far are this blog post, to setup a KVM connection from linux:
<https://www.cyberciti.biz/faq/remotely-access-intel-amt-kvm-linux-desktop/>
and this awesome opensource client:
<https://www.meshcommander.com/meshcommander>
unfortunately, engagementโs time didnโt let me to finish my test.
for a quick vulnerability check:
<https://www.exploit-db.com/exploits/43385>
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 5
References
www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
www.securityfocus.com/bid/98269
www.securitytracker.com/id/1038385
cert-portal.siemens.com/productcert/pdf/ssa-874235.pdf
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689
downloadmirror.intel.com/26754/eng/INTEL-SA-00075%20Mitigation%20Guide-Rev%201.1.pdf
h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03754en_us
security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
security.netapp.com/advisory/ntap-20170509-0001
www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf
www.embedi.com/news/mythbusters-cve-2017-5689
www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability
Related
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.974 High
EPSS
Percentile
99.9%