Hacker News new | past | comments | ask | show | jobs | submit login

"Intel AMT: ENABLED, AMT is unprovisioned". Does that mean AMT is still potentially vulnerable to attacks from user/kernelspace?



From the readme:

  In this state, AMT is not vulnerable to CVE-2017-5689.


Thanks! Missed this part. Also, do you think it's a good idea to keep it in this state as opposed to updating in case Intel's new patches lock AMT down even further? This is the pattern I saw with Sony once - groups of users not updating their consoles because via exploiting it they could get more control over it.


You should be able to disable it in the BIOS. If you're not going to use it, I'd suggest disabling it. You could always reenable it later, should you find a need for it.


Is disabling always possible? I don’t find UI to disable in recent Lenovo ThinkStation BIOS even though I’ve seen such option previously in ThinkPad BIOS.


Intel has provided a mitigation guide that goes through how to disable LMS (local manageability services), which AMT is a part of. Take a look: https://downloadmirror.intel.com/26754/eng/Intel-SA-00075%20...


I meant disabling the ME-side stuff from BIOS. That’s for disabling the Windows-side component.


I disabled it in bios on my Lenovo T450s back when this was first reported and the tool reports...

Intel AMT is present AMT is unprovisioned

So disabling it puts it in the same state.


I have no BIOS option at all for this, yet it’s enabled and provisioned. What do I do?


Well, firstly, don't connect your machine to networks you don't trust the members of :)

If your machine's manufacturer still supports the device, check if they have any firmware updates available. Hopefully they will have recent updates that include a fix for the AMT authn issue.

If you want to disable it, Intel has provided a mitigation guide which has instructions on disabling LMS (which AMT is part of): https://downloadmirror.intel.com/26754/eng/Intel-SA-00075%20.... I've not had to follow it myself, good luck if you do :)

I'm just repeating stuff I've read from MJG, take a look at his FAQ around this issue: https://mjg59.dreamwidth.org/48429.html


The machine is self-assembled, and the motherboard manufacturer doesn’t provide updates.

I don’t run windows, though.

> Well, firstly, don't connect your machine to networks you don't trust the members of :)

I’ve already had issues with the intel card, so I’m running on a RealTek ethernet card for now anyway. But that’s no long term solution.


Now I’m curious how a self-assembled computer got into the provisioned state.


That’s an interesting question, isn’t it? Even more, how AMT was enabled in the first place, if the UEFI has no option for it.

And I’ve had massive issues with AMT before – for some reason, on Linux, the ME would force a reset of the network connection every 90 seconds (which is why I use an ancient realtek network card currently).

Possible explanations include bad defaults in the UEFI, a store sending me a used part instead of a new part, etc. If we go into conspiracy territory, NSA TAO interception would also be on the table. Very unlikely, though.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: