The CVE-2017-5689 vulnerability defined as:
An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT).
You can find out whether AMT is enabled and provisioned under Linux using the following methods.
How to check whether AMT is enabled and provisioned under Linux
There are two methods. Let us see both of them one-by-one:
Method #1: mei-amt-check tool
Use mei-amt-check tool. It is a simple tool that tells you whether AMT is enabled and provisioned on Linux systems. Requires that the mei_me driver (part of the upstream kernel) be loaded.
Clone repo using git command:
$ git clone https://github.com/mjg59/mei-amt-check.git
Cloning into 'mei-amt-check'... remote: Counting objects: 15, done. remote: Compressing objects: 100% (10/10), done. remote: Total 15 (delta 5), reused 15 (delta 5), pack-reused 0 Unpacking objects: 100% (15/15), done.
To build it, run:
$ cd mei-amt-check
LICENSE Makefile mei-amt-check mei-amt-check.c README.md
Just type the following command:
$ sudo ./mei-amt-check
The above output indicate that AMT is enabled and it is not vulnerable to CVE-2017-5689. Here is another outputs:
AMT present: true AMT provisioning state: provisioned Flash: 9.1.42 Netstack: 9.1.42 AMTApps: 9.1.42 AMT: 9.1.42 Sku: 8 VendorID: 8086 Build Number: 3002 Recovery Version: 9.1.42 Recovery Build Num: 3002 Legacy Mode: False
If run on a Linux system with no AMT, output will look like:
Intel AMT: DISABLED
If AMT is enabled and provisioned, output will look like:
If AMT is enabled and provisioned and the AMT version is between 6.0 and 11.2, and you have not upgraded your firmware, you are vulnerable to CVE-2017-5689. Disable AMT in your system firmware.
Method #2: Use nmap
Download a script as follows using wget command or curl command:
$ wget https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5689.nse
Run nmap command as follows to test 192.168.2.5:
$ nmap -p 16992 --script http-vuln-cve2017-5689 192.168.2.5
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-14 22:39 IST Nmap scan report for dellm6700 (192.168.2.15) Host is up (0.00041s latency). PORT STATE SERVICE 16992/tcp filtered amt-soap-http Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
Make sure you update your BIOS to fix issue. Here is another output that is looking for HTTPS port too:
$ nmap -p 16992,16993 --script http-vuln-cve2017-5689 192.168.2.87
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 19:18 IST Nmap scan report for 192.168.2.87 Host is up (0.0039s latency). PORT STATE SERVICE 16992/tcp open amt-soap-http 16993/tcp open amt-soap-https MAC Address: 54:B2:03:09:15:88 (Pegatron) Nmap done: 1 IP address (1 host up) scanned in 8.40 seconds
One can visit urls as follows:
You learned how to check whether AMT is enabled or not under Linux using various command line options.