Attacker Value
High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2017-5689

Disclosure Date: May 02, 2017
CVE-2017-5689 CVSS v3 Base Score: 9.8
Exploited in the Wild
Reported by mkienow-r7 and 1 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT).

Add Assessment

4
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Easy to weaponizeVulnerable in default configuration
Technical Analysis

as stated on CVE details, this vulnerability let an attacker to bypass authentication on AMT and reach web panel as admin.

at first glance this vulnerability looks not that useful, because – at least from my tests – by bypassing authentication you can:

  • reboot/shutdown/poweron the host
  • boot from alternative devices, for example PXE
  • other “useless” stuff

and if in theory running a live system to access original host filesystem to exfiltrate hashes/data could be awesome, i’ve seen no engagement where you can actually reboot a box without heavy issue from the owner. because AMT works also when the host is shutdown, it could be interesting to poweron an inactive host and take full control of it, but we have another options:
(un)fortunately, AMT also let a user to access using KVM, so an attacker can use (or leech at) a running interactive session.

the bypass is very easy, just specify response=“” in Authorization header, and can also be automated on any intercepting proxy like burp or zap, so you could route all your traffic to burp and have the auth bypass

what i’ve tested so far are this blog post, to setup a KVM connection from linux:
https://www.cyberciti.biz/faq/remotely-access-intel-amt-kvm-linux-desktop/
and this awesome opensource client:
https://www.meshcommander.com/meshcommander

unfortunately, engagement’s time didn’t let me to finish my test.

for a quick vulnerability check:
https://www.exploit-db.com/exploits/43385

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Intel Active Mangement Technology, Intel Small Business Technology, Intel Standard Manageability fixed in versions 6.2.61.3535, 7.1.91.3272, 8.1.71.3608, 9.1.41.3024, 10.0.55.3000, 11.0.25.3001, and 11.6.27.3264 and later
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
auxiliary/scanner/http/intel_amt_digest_bypass
Reporter
Unknown

Vendors

  • intel

Products

  • active management technology firmware 10.0,
  • active management technology firmware 11.0,
  • active management technology firmware 11.5,
  • active management technology firmware 11.6,
  • active management technology firmware 6.0,
  • active management technology firmware 6.1,
  • active management technology firmware 6.2,
  • active management technology firmware 7.0,
  • active management technology firmware 7.1,
  • active management technology firmware 8.0,
  • active management technology firmware 8.1,
  • active management technology firmware 9.0,
  • active management technology firmware 9.1,
  • active management technology firmware 9.5

Exploited in the Wild

Reported by:
Technical Analysis