Last week, Intel published a security advisory (INTEL-SA-00075) regarding a new vulnerability in Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT). The firmware versions impacted are 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6. In addition to the vulnerability disclosure, details of how to exploit it remotely has been released publicly.
Exploitation of this vulnerability could allow an attacker to gain complete control of an affected system. Updated firmwares will be released by the system OEM, but Intel has provided mitigation steps to prevent remote exploitation of the vulnerability. The Qualys Cloud Platform can help you detect any vulnerable systems, allowing you to quickly target them for mitigation.
We released QID 43506 on May 2 to detect this vulnerability using Qualys Vulnerability Management. This detection supports both unauthenticated and authenticated scans, as well as the Qualys Cloud Agent. Qualys ThreatPROTECT also provides one-click access to a continuously updated list of impacted assets through the Live Feed.
Intel has released a mitigation guide that covers several mitigation options, including de-provisioning and removing the affected LMS service.
The Qualys Cloud Agent collects a list of running services, which can be queried using Qualys AssetView. Using the following query, you can detect systems that have both the vulnerable AMT versions and also have not had the mitigation steps applied:
> > vulnerabilities.vulnerability.qid:43506 and services:(name:LMS and status:running)
To start detecting and protecting against critical vulnerabilities, get a Qualys Suite trial. All features described in this article are available in the trial.