UnlabelledIntel Active Management Technology

Selasa, 12 Juni 2018

- -
Sponsored Links

Intel AMT vulnerability (CVE-2017-5689) - YouTube
src: i.ytimg.com

Intel Active Management Technology ( AMT ) is firmware hardware and technology for personal computer management away from bands, to monitor, maintain, update, upgrade and improve them. Out-of-band (OOB) or hardware-based management is different from software-based (or in-band) software management and agent management software.

Hardware-based management works at different levels of software applications, and uses communication channels (via TCP/IP stack) that are different from software-based communications (which pass through software stacks in the operating system). Hardware-based management does not depend on the presence of OS or locally installed management agents. Hardware-based management has been available on Intel/AMD-based computers in the past, but is mostly limited to automatic configuration using DHCP or BOOTP for dynamic IP address allocations and diskless workstations, and wake-on-LAN (WOL) to power the system remotely. AMT is not intended to be used alone; is intended for use with software management applications. It provides a management application (and thus, the system administrator that uses it) access to the PC down the wire, to remotely perform difficult tasks or sometimes impossible when working on a PC that has no built-in remote function built in.

AMT is designed to be a secondary processor (service) located on the motherboard, and uses TLS secure communications and strong encryption to provide added security. AMT is built into PC with Intel vPro technology and is based on Intel Management Engine (ME). AMT has moved towards increasing support for DMTF Desktop and the mobile architecture for the Standard Hardware System (DASH) and AMT Release 5.1 and the next release is the implementation of DASH standard version 1.0/1.1 for outside band management. AMT provides functionality similar to IPMI, although AMT is designed for client computing systems compared to IPMI which is typically server-based.

Currently, AMT is available on desktops, servers, ultrabooks, tablets and laptops with the Intel Core vPro family of processors, including Intel Core i5, i7, and Intel Xeon E3-1200 family of product families.

Intel confirmed the enhancement of the Remote Privilege bug (CVE-2017-5689, SA-00075) in its Technology Management on May 1, 2017. Each Intel platform either with Intel Standard Management, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a security hole that can be exploited from afar in ME. Some manufacturers, such as Purism and System76 already sell hardware with Intel Management Engine disabled to prevent remote exploits. Additional major security flaws in ME affect a large number of computers incorporating the Machine Management, Trusted Execution Engine, and Platform Services Server firmware, from Skylake in 2015 to Coffee Lake in 2017, confirmed by Intel on November 20, 2017 (SA-00086).


Video Intel Active Management Technology



Access non-free services

Although iAMT can be included for free on publicly-sold and small business devices, iAMT's full capabilities, including remote access encrypted via public key certificates and automated remote device provisioning from an unconfigured iAMT client, are not accessible free to the public general or to the direct owner of iAMT-equipped devices. iAMT can not be fully utilized for maximum potential without purchasing additional software or management services from Intel or an independent third-party software vendor (ISV) or value-added retailer (VAR).

Intel itself provides a developer software package that enables basic access to iAMT, but is not intended to be used normally for accessing technology. Only basic access mode is supported, without full access to encrypted communication from a complete purchase management system.

Maps Intel Active Management Technology



Features

Intel AMT includes hardware-based remote management, security, power management, and remote configuration features that allow independent remote access to AMT-supported PCs. Intel AMT is a security and management technology built into PC with Intel vPro technology.

Intel AMT uses an out-of-band (OOB) hardware-based communication channel that operates regardless of where the operating system works. The communication channel does not depend on the PC power status, the presence of a management agent, and the state of many hardware components such as hard disk drives and memory.

Most of the AMT features are available OOB, regardless of PC power status. Other features require the PC to fire (such as console redirection via serial over LAN (SOL), agent presence checking, and network traffic filtering). Intel AMT has a far-reaching power-up capability.

Hardware-based features can be combined with scripting to automate maintenance and service.

Device-based AMT features on laptops and desktop PCs include:

  • An encrypted and remote communication channel for network traffic between the IT console and Intel AMT.
  • The ability for a wired PC (physically connected to a network) outside the corporate firewall on an open LAN to establish a secure communications tunnel (via AMT) back to the IT console. Examples of open LANs include wired laptops at home or on the
  • Recording agent attendance, via hardware-based devices, programmable timers based on policy. A "miss" generates an event; and this can also generate warnings.
  • OOB warns.
  • Persistent event logs, stored in protected memory (not on hard drive).
  • Access (preboot) universal uniquely identifiers PC (UUID).
  • Access (preboot) hardware asset information, such as the manufacturer and component model, which is updated each time the system is self-test self-test (POST).
  • Access (preboot) to third-party data storage (TPDS), a protected memory area that software vendors can use, where version information,.DAT files, and other information.
  • Remote configuration options, including certificate-based remote configuration, USB key configuration (light touch), and manual configuration.
  • Protected Audio/Video Path for DRM-protected media playback protection.

Laptops with AMT also include wireless technology:

  • Support for IEEE 802.11 a/g/n wireless protocol
  • Cisco compatible extensions for Voice over WLAN

Intel® Active Management Technology
src: software.intel.com


History

The software update provides upgrades to the next minor version of Intel AMT. The new large Intel AMT release is built into the new chipset, and updated through new hardware.

Haw to exploit AMT intel CVE-2017-5689 - YouTube
src: i.ytimg.com


Apps

Almost all AMT features are available even if the PC is powered off but with a power cord attached, if the operating system stalls, if the software agent is lost, or if the hardware (such as hard drive or memory) has failed. The console-redirection (SOL) feature, presence checking agent, and network traffic filter are available after the PC is powered on.

Intel AMT supports these management tasks:

  • Remote, shut down power, power cycle, and reset computer power.
  • Remote boot PC by switching the PC boot process remotely, causing it to boot from different images, such as network share, bootable CD-ROM or DVD, remediation drive, or other boot device. This feature supports remote booting of PCs that have corrupted or missing OSs.
  • Direct remote I/O system through console redirection via serial over LAN (SOL). This feature supports remote troubleshooting, remote repair, software upgrades, and similar processes.
  • Access and change the BIOS settings remotely. This feature is available even though PC power is off, OS is off, or hardware fails to work. This feature is designed to allow for remote updates and configuration configuration corrections. This feature supports full BIOS updates, not just changes to custom settings.
  • Detects suspicious network traffic. On laptops and desktop PCs, this feature allows the admin-sys to determine events that may indicate incoming or outgoing threats in the packet network header. On desktop PCs, this feature also supports known and/or unknown threat detection (including slow and fast moving computer worms) in network traffic through time-based and heuristic-based filters. Network traffic is checked before it reaches the OS, so it is also checked before the OS and software application loads, and after they are closed (traditionally vulnerable periods for PCs).
  • Block or restrict network traffic to and from systems suspected of being infected or compromised by computer viruses, computer worms, or other threats. This feature uses Intel AMT hardware-based isolation circuitry that can be triggered manually (remotely, by sys-admin) or automatically, based on IT policies (specific events).
  • Manage hardware packet filters on the on-board network adapter.
  • Automatically send OOB communications to the IT console when a critical software agent passes the checks provided with a programmable hardware-based timer based timer. A "miss" indicates a potential problem. This feature can be combined with OOB warning so that the IT console is notified only if there is a potential problem (helping keep the network from being flooded with unnecessary "positive" event notifications).
  • Accepting an out-of-band Platform Event Event event (PET) from the AMT subsystem (for example, an event indicating that OS is hung or stuck, or password attacks have been attempted). Warnings can be issued on an event (such as not qualifying, in combination with an agent's presence check) or on the threshold (such as reaching a certain fan speed).
  • Access fixed event logs, stored in protected memory. Event logs are available OOB, even if the OS is off or hardware has failed.
  • Find the AMT system separately from the PC power status or OS status. Discovery (access to preboot to UUID) is available if the system is shut down, the OS is corrupt or damaged, hardware (such as hard drive or memory) has failed, or the management agent is missing.
  • Perform software inventory or access information about software on PC. This feature allows third-party software vendors to store software assets or version information for local applications in Intel AMT-protected memory. (This is a protected third-party data store, which is different from protected AMT memory for hardware component information and other system information). Third party data storage is accessible OOB by sys-admin. For example, an antivirus program may store version information in the protected memory available for third-party data. Computer scripts can use this feature to identify PCs that need to be updated.
  • Perform hardware inventory by uploading a list of remote PC hardware assets (platforms, pole management controllers, BIOS, processors, memory, disks, portable batteries, field replaceable units, and other information). The hardware asset information is updated every time the system runs via POST (power-on self-test).

From the main version 6, Intel AMT embeds proprietary VNC servers, for off-band access using VNC-compatible viewer technology, and has full KVM (keyboard, video, mouse) capabilities over the power cycle - including uninterrupted control of the desktop during system load operation. Clients such as VNC Viewer Plus from RealVNC also provide additional functionality that may make it easier to perform (and watch) certain Intel AMT operations, such as turning on and off computers, configuring BIOS, and installing remote images (IDER).

How to Setup Intel Active Management Technology on Target Device ...
src: i.ytimg.com


Provisioning and integration

AMT supports certificate-based or PSK-based remote allocations (full remote deployment), provisioning one-touch USB provisioning "), provisioning and provisioning manually using an agent on a local host (" Host Based Provision "). OEMs can also pre-condition AMT.

The current AMT version supports remote deployment on laptops and desktop PCs. (Remote deployment is one of the major features missing from early AMT versions and which delayed AMT reception in the market.) Remote deployment, to date, is possible only within the corporate network. Remote deployment allows sys-admin to deploy PCs without "touching" the physical system. It also allows sys-admin to delay deployment and put the PC in use for a certain period of time before making the AMT feature available to the IT console. As delivery and distribution models grow, AMT can now be deployed over the Internet, using the "Zero-Touch" and Host-Based methods.

PCs can be sold with AMT enabled or disabled. The OEM determines whether to send AMT with the ability ready for setup (enabled) or disabled. The setup and configuration process may vary depending on the OEM build.

AMT includes the Privacy Icon app, called IMSS, which notifies users of the system if AMT is enabled. It's up to OEM to decide if they want to show icons or not.

AMT supports different methods to disable security management and technology, as well as different methods to re-enable the technology.

AMT can be partially not provided using Configuration Settings, or completely unavailable by deleting all configuration settings, security credentials, and network and operational settings. Some provisions leave the PC in setup status. In these circumstances, the PC can start its own automated remote configuration process. Complete information retrieval will delete the configuration profile as well as the security credentials and operational/network settings required to communicate with the Intel Management Engine. Full refund without provision, Intel AMT to factory default status.

After AMT is disabled, to enable AMT again, the sys-official admin can rebuild the security credentials needed to configure remote by:

  • Use the remote configuration process (full automatic, remote configuration via certificate and key).
  • Physically access the PC to restore security credentials either by USB key or by manually entering credentials and MEBx parameters.

There is a way to reset the AMT and return to the factory default. This can be done in two ways:

  • Sets the appropriate value in the BIOS.
  • Erases CMOS and/or NVRAM memory.

The AMT settings and integration are supported by setup and configuration services (for automated settings), AMT Webserver tools (included with Intel AMT), and AMT Commander, an unsupported and free proprietary app, available from Intel's website.

Axiomtek - How to Setup Intel Active Management Technology on ...
src: i.ytimg.com


Communications

All access to Intel AMT features is through Intel Management Engine in hardware and PC firmware. AMT communication depends on the state of the Management Engine, not the state of the PC OS.

As part of the Intel Management Engine, the OOB AMT communication channel is based on a pile of TCP/IP firmware designed into the system hardware. Because it is based on the TCP/IP stack, remote communication with AMT takes place over a network data path before communication is forwarded to the OS.

Intel AMT supports both wired and wireless networks. For wireless notebooks on battery power, OOB communication is available when the system is awake and connected to the corporate network, even if the OS is inactive. OOB Communications is also available for wireless or wired notebooks connected to the corporate network through a hosted hosted virtual private network (VPN) when the notebook is up and running properly.

AMT versions 4.0 and higher can build secure communications tunnels between wired PCs and IT consoles outside corporate firewalls. In this scheme, the attendance management server (Intel calls it "vPro-enabled gateway") authenticates the PC, opens a secure TLS tunnel between the IT and PC consoles, and mediates communication. This scheme is intended to help the user or PC itself request maintenance or service when in a satellite office or similar place where there is no proxy server or on-site management device.

Technology that secures communications outside corporate firewalls is relatively new. It also requires the available infrastructure, including support from consoles and IT firewalls.

An AMT PC stores system configuration information in a protected memory. For PC version 4.0 and higher, this information may include the appropriate "whitelist" management server name for the company. When a user tries to start a remote session between a wired PC and a corporate server from an open LAN, AMT sends the stored information to the presence management server (MPS) in the "DMZ" zone between the corporate firewall and client (PC users) firewall. MPS uses that information to help authenticate the PC. MPS then mediates communications between laptops and enterprise management servers.

Because communication is confirmed, secure communication tunnels can then be opened using TLS encryption. Once secure communication is established between the IT console and Intel AMT on the user's PC, the admin-sys can use distinctive AMT features to remotely diagnose, fix, maintain, or update PCs.

Intel AMT vulnerability (CVE-2017-5689) - YouTube
src: i.ytimg.com


Design

Hardware

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part of all current Intel chipsets (as of 2015).

Starting with ME 11, it is based on an Intel Quark x86-based 32-bit CPU and runs the MINIX 3 operating system. The ME state is stored in the SPI flash partition, using an Embedded Flash File System (EFFS). Previous versions are based on ARC core, with Machine Management running ThreadX RTOS from Express Logic. Versions 1.x to 5.x from ME use ARCTangent-A4 (32-bit instructions only) whereas 6.x to 8.x versions use newer ARCompact (32- and 16-bit mixed instruction set architecture). Starting with ME 7.1, ARC processors can also execute signed Java applets.

ME has its own MAC and IP address for out-of-band interface, with direct access to an Ethernet controller; one part of Ethernet traffic is routed to ME even before it reaches the host operating system, for what support is in various Ethernet controllers, exported and created can be configured through Management Component Transport Protocol (MCTP). ME also communicates with the host via PCI interface. In Linux, communication between host and ME is done via /dev/mei .

Until the launch of Nehalem processor, ME is usually embedded into the northbridge of the motherboard, following the Memory Controller Hub (MCH) layout. With newer Intel architecture (Intel Series 5 and beyond), ME is incorporated into the Platform Controller Hub (PCH).

Firmware

  • Management Engine (ME) - mainstream chipset
  • Platform Services Server (SPS) - server
  • Trusted Execution Engine (TXE) - tablet/mobile/low power

Intel AMT vulnerability exploitation - YouTube
src: i.ytimg.com


Security

Because AMT allows access to PCs under the OS level, security for AMT features is a major concern.

Security for communication between Intel AMT and the provisioning services and/or management console can be created in different ways depending on the network environment. Security can be created through certificates and keys (public key infrastructure TLS, or TLS-PKI), pre-shared key (TLS-PSK), or administrator password.

The security technology that protects access to AMT features is built into hardware and firmware. As with other AMT-based hardware features, active security technology even if the PC is turned off, the OS is stuck, the lost software agent, or hardware (such as hard drive or memory) has failed.

Because software that implements AMT exists outside the operating system, it is not always updated by the normal operating system update mechanism. The security flaw in the AMT software can be very severe, as it will remain long after they are discovered and discovered by potential attackers.

On May 15, 2017, Intel announced a critical vulnerability in AMT. According to the update "Vulnerability may allow network attackers to gain access to PCs or business devices that use this technology remotely." Intel announced the availability of some firmware updates to patch vulnerabilities for some affected devices.

Network

While some protocols for remote-band management use secure network communication channels (eg Secure Shell), some other protocols are not secured. Thus some businesses have to choose between having a secure network or allowing IT to use remote management applications without secure communications to maintain and PC services.

Modern security technologies and hardware designs allow for remote management even in safer environments. For example, Intel AMT supports IEEE 802.1x, Preboot Execution Environment (PXE), Cisco SDN, and Microsoft NAP.

All AMT features are available in a secure network environment. With Intel AMT in a secure network environment:

  • The network can verify the security posture of an AMT-supported PC and authenticate the PC before the OS load and before the PC is granted access to the network.
  • PXE boot can be used while maintaining network security. In other words, IT administrators can use existing PXE infrastructure in an IEEE 802.1x, Cisco SDN, or Microsoft NAP network.

Intel AMT can embed network security credentials in hardware, through Intel AMT Embedded Trust Agent and AMT plug-in postures. The plug-in collects security posture information, such as firmware configuration and security parameters from third-party software (such as antivirus and antispyware software), BIOS, and protected memory. The plug-in and trust agent can store security profiles inside protected, non-volatile AMT memory, which is not present on the hard disk drive.

Because AMT has an out-of-band communication channel, AMT can present the PC security posture to the network even if the PC OS or security software is compromised. Because AMT presents out-of-band posture, the network can also authenticate out-of-band PCs, before the OS or application loads and before they attempt to access the network. If the security posture is incorrect, the system administrator can push the OOB update (via Intel AMT) or reinstall important security software before allowing the PC to access the network.

Support for different security posture depends on AMT release:

  • Support for IEEE 802.1x and Cisco SDN requires AMT version 2.6 or higher for laptops, and AMT version 3.0 or higher for desktop PCs.
  • Support for Microsoft NAP requires AMT version 4.0 or higher.
  • Support for PXE boot with full network security requires AMT 3.2 or higher for desktop PCs.

Technology

AMT includes several security schemes, technologies, and methodologies to secure access to AMT features during installation and during remote management. AMT's security technologies and methodologies include:

  • Transport Layer Security, including previously shared TLS key (TLS-PSK)
  • HTTP Authentication
  • Single sign-on to Intel AMT with Microsoft Windows domain authentication, based on Microsoft Active Directory and Kerberos
  • Digitally signed firmware
  • Pseudo-random number generator (PRNG) generating session key
  • Protected memory (not on hard disk drive) for important system data, such as UUID, hardware asset information, and BIOS configuration settings
  • Access control list (ACL)

As with other aspects of Intel AMT, security technologies and methodologies are built into the chipset.

Known vulnerabilities and exploits

Ring -3 rootkit

A rootkit ring-3 is demonstrated by Invisible Things Lab for Q35 chipsets; it does not work for Q45 chipsets later, because Intel is implementing additional protection. Exploit works by remapping the normally reserved memory area (top 16 MB RAM) provided for ME. Rootkit ME can be installed regardless if AMT is present or enabled on the system, because the chipset always contains the ARC ME processor. (The "-3" designation is chosen because the ME processor works even when the system is in S3 state, so it is considered a layer under the System Management Mode rootkit.) For the vulnerable Q35 chipset, keystroke logger based ME rootkit is shown by Patrick Stewin.

Zero-touch determination

Another security evaluation by Vassilios Ververis shows a serious disadvantage in the implementation of the GM45 chipset. In particular, he criticized AMT for transmitting unencrypted passwords in SMB provisioning mode when the IDE and Serial over LAN redirects feature was used. It also found that the "zero touch" provisioning mode (ZTC) is still enabled even when AMT seems to be disabled in the BIOS. For about 60 euros, Ververis buys from Go Daddy a certificate received by the ME software and allows remote "nozzle" (possibly unsuspecting) restrictions, which broadcast their HELLO packets to the expected configuration server.

Silent Bob is Silent

In May 2017, Intel confirmed that many computers with AMT have an unselected privacy escalation vulnerability (CVE-2017-5689). The vulnerability, dubbed "Silent Bob is Silent" by researchers who have reported it to Intel, affects many laptops, desktops and servers sold by Dell, Fujitsu, Hewlett-Packard (later Hewlett Packard Enterprise and HP Inc.), Intel, Lenovo , and possibly others. The researchers claim that bugs affect systems created in 2010 or later. Other reports claim that the bug also affected the system created since 2008. The vulnerability was described as providing remote attackers:

full control over the affected machine, including the ability to read and modify everything. It can be used to install persistent malware (possibly in firmware), and read and modify any data.

PLATINUM

In June 2017, PLATINUM's cybercrime group became famous for exploiting serial capabilities via AMT's LAN (SOL) to perform stolen document data destrations.

SA-00086

In November 2017, a serious flaw was detected in the Machine Management firm (ME) by Positive Technologies security firm, which claims to have developed a functioning exploit of this system for someone with physical access to a USB port. On November 20, 2017, Intel confirmed that a number of serious errors had been found in the Management Engine, Trusted Execution Engine, Server Platform Services, and released "critical firmware updates".

How configure Intel ME AMT Lenovo Server TS150 (Active management ...
src: i.ytimg.com


Avoidance and mitigation

PCs with AMT usually provide an option in the BIOS menu to disable AMT, even though the OEM implements BIOS features differently, and therefore the BIOS is not a reliable method for shutting down AMT. Intel-based PCs sent without AMT should not be able to install AMT later. However, as long as PC hardware is potentially capable of running AMT, it is not clear how effective this protection is. Currently, there are mitigation guides and tools to disable AMT on Windows, but Linux only accepts tools to check if AMT is enabled and available on Linux systems. The only way to really fix this vulnerability is to install a firmware update. Intel has made a list of available updates. Unlike for AMT, there is generally no official and documented way to disable the Management Machine (ME); it is always on, unless it is not activated at all by OEM.

By 2015, a small number of competing vendors are beginning to offer Intel-based PCs designed or specifically modified to address potential AMT vulnerabilities and related concerns.

A Security Issue in Intel's Active Management Technology (AMT ...
src: i.ytimg.com


See also

  • Backdoor (computation)
  • Embedded Host Control Interface
  • HP Integrated Lamp
  • Intel CIRA
  • Intel Core 2
  • Internet kill switch
  • I/O Control Hub
  • Disables management
  • Southbridge (computing)
  • System Services Processor
  • Intel AMT version
  • Intel Management Machine
  • Intel vPro

Know How - Mengenal Intel Active Management Technology - YouTube
src: i.ytimg.com


References


Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability ...
src: blog.trendmicro.com


External links

  • Intel Active Management Technology
  • Intel Developer Settings Community
  • Intel vPro Expert Center
  • Intel AMT Open Source Driver and Tools
  • Intel 82573E Gigabit Ethernet Controller (Tekoa)
  • ARC4 Processor
  • AMT video (select a desktop channel)
  • Intel AMT Client - Radmin Viewer 3.3
  • Intel vPro/AMT as hardware antivirus
  • AMT Through Internet Provisioning (OOB Manager)
  • Intel ME Secrets: Hidden code in your chipset and how to discover what exactly Igor Skochinsky is doing, talking on Code Blue 2014
  • Using Intel AMT and Intel NUC with Ubuntu

Source of the article : Wikipedia

Comments
0 Comments
Langganan: Posting Komentar (Atom)