Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Remote Privilege Escalation

2018-02-21T11:00:00
ID LENOVO:PS500104-NOSID
Type lenovo
Reporter Lenovo
Modified 2018-02-21T11:00:00

Description

Lenovo Security Advisory: LEN-14963

Potential Impact: Remote or local exploitation of manageability features leading to unprivileged system access

Severity: High

Scope of Impact: Industry-Wide

CVE Identifier: CVE-2017-5689

Summary Description:

Intel manageability SKUs (AMT, ISM, and SBT) have a privilege escalation issue that makes platforms vulnerable to unprivileged system access. Intel manageability is supported on some Lenovo ThinkPads, ThinkCentres, ThinkStations, and ThinkServers.

  1. An unprivileged network attacker could gain system privileges to provisioned / activated Lenovo systems that support Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
  2. An unprivileged local attacker could provision manageability features, which would allow them to gain unprivileged network or local system privileges on Lenovo systems that support Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).

The problem has been isolated to a design issue in the Intel manageability SKU firmware. This results in a vulnerability that allows an unprivileged network or local attacker to gain system privileges on Lenovo systems that support Intel manageability (AMT, ISM, and SBT).

Intel® AMT, ISM and SBT use integrated platform capabilities to allow IT or managed service providers to remotely manage networked computing assets.

Mitigation Strategy for Customers (what you should do to protect yourself):

Lenovo is urgently working on qualifying and applying the fixes provided by Intel on supported systems. Please continue to refer to this advisory to identify fixes as they are posted for your systems.

Options for mitigation until the firmware update is available are:

  • The network vulnerability can be mitigated by unprovisioning the Intel manageability SKU (AMT and ISM) or disabling the Intel manageability technology within the Intel® MEBx.
  • The local vulnerability can be mitigated by disabling or uninstalling Local Manageability Service (LMS) on Intel manageability SKUs (AMT, ISM, and SBT).

Note that capabilities and features provided by AMT, ISM, and SBT will be made unavailable when these mitigations are implemented.

The instructions to implement the mitigation steps are posted at Intel’s website here: <https://downloadcenter.intel.com/download/26754>

NOTE: Intel has posted a Firmware Deployment Procedure gude here: <http://www.intel.com/content/www/us/en/support/technologies/intel-active-management-technology-intel-amt/000024236.html>

Please refer to this guide if you are using AMT, ISM or SBT before running the updates. The guide will tell you to first unprovision the systems, update the firmware and then re-provision the systems. If you are not using these technologies, no special steps need to be followed before running the updates.

Product Impact:

The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x, 9.x, 10.x, 11.0, 11.5, and 11.6.

Lenovo systems using Intel manageability firmware prior to version 6.0 and newer than 11.6 do not contain the identified vulnerability.

Intel has released a Detection Guide to assess if your system has the impacted firmware: <https://downloadcenter.intel.com/download/26755>. Intel® AMT, Intel® SBA, or Intel® ISM firmware versions that resolve the issue have a four digit build number that starts with a “3” (X.X.XX.3XXX) Ex: 8.1.71.3608.