How to check whether AMT is enabled and provisioned under Linux

How do I check whether Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM) enabled or disabled under Linux using command line for CVE-2017-5689 vulnerability?

The CVE-2017-5689 vulnerability defined as:

ADVERTISEMENTS

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT).

You can find out whether AMT is enabled and provisioned under Linux using the following methods.

How to check whether AMT is enabled and provisioned under Linux

There are two methods. Let us see both of them one-by-one:

Method #1: mei-amt-check tool

Use mei-amt-check tool. It is a simple tool that tells you whether AMT is enabled and provisioned on Linux systems. Requires that the mei_me driver (part of the upstream kernel) be loaded.

Installation

Clone repo using git command:
$ git clone https://github.com/mjg59/mei-amt-check.git
Sample outputs:

Cloning into 'mei-amt-check'...
remote: Counting objects: 15, done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 15 (delta 5), reused 15 (delta 5), pack-reused 0
Unpacking objects: 100% (15/15), done.

To build it, run:
$ cd mei-amt-check
$ make
$ ls

LICENSE  Makefile  mei-amt-check  mei-amt-check.c  README.md

Test it

Just type the following command:
$ sudo ./mei-amt-check
Sample outputs:

Fig.01: Intel AMT ENABLED

Fig.01: Intel AMT ENABLED

The above output indicate that AMT is enabled and it is not vulnerable to CVE-2017-5689. Here is another outputs:
sudo ./mei-amt-check
Sample outputs:

AMT present: true
AMT provisioning state: provisioned
Flash:	9.1.42
Netstack:	9.1.42
AMTApps:	9.1.42
AMT:	9.1.42
Sku:	8
VendorID:	8086
Build Number:	3002
Recovery Version:	9.1.42
Recovery Build Num:	3002
Legacy Mode:	False

If run on a Linux system with no AMT, output will look like:

Intel AMT: DISABLED

If AMT is enabled and provisioned, output will look like:

Fig.02: AMT enabled with Linux driver loaded

Fig.02: AMT enabled with Linux driver loaded

If AMT is enabled and provisioned and the AMT version is between 6.0 and 11.2, and you have not upgraded your firmware, you are vulnerable to CVE-2017-5689. Disable AMT in your system firmware.

Method #2: Use nmap

Download a script as follows using wget command or curl command:
$ wget https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5689.nse
Run nmap command as follows to test 192.168.2.5:
$ nmap -p 16992 --script http-vuln-cve2017-5689 192.168.2.5
Sample outputs:

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-14 22:39 IST
Nmap scan report for dellm6700 (192.168.2.15)
Host is up (0.00041s latency).
PORT      STATE    SERVICE
16992/tcp filtered amt-soap-http

Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds

Make sure you update your BIOS to fix issue. Here is another output that is looking for HTTPS port too:
$ nmap -p 16992,16993 --script http-vuln-cve2017-5689 192.168.2.87
Sample outputs:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 19:18 IST
Nmap scan report for 192.168.2.87
Host is up (0.0039s latency).

PORT      STATE SERVICE
16992/tcp open  amt-soap-http
16993/tcp open  amt-soap-https
MAC Address: 54:B2:03:09:15:88 (Pegatron)

Nmap done: 1 IP address (1 host up) scanned in 8.40 seconds

One can visit urls as follows:
http://intel-amt-ip:16992/
https://intel-amt-ip:16993/

Intel Active Management Technology [AMT] web interface

Intel AMT allows sysadmins remotely manage and repair PCs, workstations, and entry servers even if they are powered off

Conclusion

You learned how to check whether AMT is enabled or not under Linux using various command line options.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
3 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.