Read the mjg59 summary first
- Vulnerability announcement | HN thread
- Intel Advisory INTEL-SA-00075 | HN thread
- Debian microcode wiki page NOTE: not clear if this can be fixed by microcode
- Intel tools
- The Intel FOSS project OpenMDTK is being replaced with MeshCommander. They are Windows tools, but claim to work in linux if you use Mono.
- MeshCommander is node.js and is supposed to work in Linux
- OpenMDTK and MeshCommander not currently in WNPP
- Intel SCS System Discovery tool (Windows)
- other tools
- OpenWSMAN |RFP: openwsman #754501 | RFP: wsmancli #754505
- wsmancli (part of the above). Looking in the code, it looks like the default ports are 5986 for the server and 5985 for the client. Dunno if they use a separate IP from the host, bind to all, etc
- mjg59’s page says the default ports are 16992 and 16993
- mitigation guide PDF from Intel
- thereg article
- me cleaner utility
taggart notes¶
“The easiest way to programmatically determine if a machine has AMT available would be to look for the presence of the MEI device in the PCI config space. If the system has a device at Bus:0, Device:3, Func:0; then the system is a vPro system. If that device is all FFs, then the system is a non-vPro system.” <- probably system specific, I couldn’t repeat
debian packages that might be interesting¶
amtterm – Serial-over-lan (sol) client for Intel AMT, console version NOTE: replaced by wsmancli (see http://openwsman.sf.net)
gamt – Serial-over-lan (sol) client for Intel AMT, gtk version NOTE: replaced by wsmancli (see http://openwsman.sf.net)
nvramtool – Read/write coreboot-related NVRAM/CMOS information
iucode-tool – Intel processor microcode tool
inteltool – Dump Intel CPU / chipset configuration parameters NOTE: only helps determine north/southbridge, no help
intel-microcode – Processor microcode firmware for Intel CPUs
Debian versions as of May 1, 2017:¶
intel-microcode | 1.20140913.1~bpo60+1 | squeeze-backports/non-free
intel-microcode | 1.20150121.1 | wheezy/non-free
intel-microcode | 3.20161104.1~deb8u1~bpo7+1 | wheezy-backports/non-free
intel-microcode | 3.20161104.1~deb8u1 | jessie/non-free
intel-microcode | 3.20161104.1~bpo8+1 | jessie-backports/non-free
intel-microcode | 3.20161104.1 | stretch/non-free
intel-microcode | 3.20161104.1 | sid/non-free
Upstream is currently here and is version 20161104
From the mitigation document, the list of ports is as follows: 16992, 16993, 16994, 16995, 623, and 664. We can easily see if those are open anywhere. |
|
This page was started when the first major AMT vuln came out in May 2017. I determined that none of our systems were vulnerable here. Then there were more AMT vulnerabilities, mjg59 has a good summary. Because we don’t have it enabled, we’re still OK. But this is probably a good reason to avoid all newer Intel hardware, way too much secret code running in the CPU. |
|