New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NSE for INTEL-SA-00075 / CVE-2017-5689 #876

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
4 participants
@xorrbit

xorrbit commented May 5, 2017

This tests Intel AMT for the authentication bypass vulnerability.

See https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability for details.

Tested on a few vuln hosts, works as expected.

@nmap-bot nmap-bot closed this in 7bd54ab May 7, 2017

@yanaimoyal

This comment has been minimized.

Show comment
Hide comment
@yanaimoyal

yanaimoyal May 8, 2017

3 modifications you should make:

  1. On Skylake and Kabilake systems (Intel ME version 11.x), the HTTP response header contains only the string AMT. the current script wont check the vulnerability on these systems and falsely report the system is not vulnerable.
  2. Port 16994 and 16995 are used for Intel AMT redirection and KVM protocol. So no point to send an HTTP request to these 2 TCP ports
  3. There may be configurations were Intel AMT Web interface is disabled. Therefore you should probably run the test on /wsman uri.

yanaimoyal commented May 8, 2017

3 modifications you should make:

  1. On Skylake and Kabilake systems (Intel ME version 11.x), the HTTP response header contains only the string AMT. the current script wont check the vulnerability on these systems and falsely report the system is not vulnerable.
  2. Port 16994 and 16995 are used for Intel AMT redirection and KVM protocol. So no point to send an HTTP request to these 2 TCP ports
  3. There may be configurations were Intel AMT Web interface is disabled. Therefore you should probably run the test on /wsman uri.
@ppietikainen

This comment has been minimized.

Show comment
Hide comment
@ppietikainen

ppietikainen May 8, 2017

In addition to "AMT", "Intel(R) Con. Management Engine 5.0.1" (and 5.0.2) could also be vulnerable. Supposedly < 6.0 is safe, but you never know until you try yourself. Maybe just check for Intel(R) or AMT in the early check?

ppietikainen commented May 8, 2017

In addition to "AMT", "Intel(R) Con. Management Engine 5.0.1" (and 5.0.2) could also be vulnerable. Supposedly < 6.0 is safe, but you never know until you try yourself. Maybe just check for Intel(R) or AMT in the early check?

@yanaimoyal

This comment has been minimized.

Show comment
Hide comment
@yanaimoyal

yanaimoyal May 8, 2017

I think a simpler way to check would be to run the script only on port Intel AMT web server ports: 16992, 16993, 623 and 664 without checking the HTTP response server header field contains AMT or Intel Active management technology string.

yanaimoyal commented May 8, 2017

I think a simpler way to check would be to run the script only on port Intel AMT web server ports: 16992, 16993, 623 and 664 without checking the HTTP response server header field contains AMT or Intel Active management technology string.

@cldrn

This comment has been minimized.

Show comment
Hide comment
@cldrn

cldrn May 9, 2017

Member

Thanks for the comments. Do you know if the remote ports can be changed in the configuration?

Member

cldrn commented May 9, 2017

Thanks for the comments. Do you know if the remote ports can be changed in the configuration?

@yanaimoyal

This comment has been minimized.

Show comment
Hide comment
@yanaimoyal

yanaimoyal May 9, 2017

Remote ports can't be changed. The only thing that can change are the following:
If AMT is configured in SSL, it will listen to port 16993 (both WS-MAN and Web interface) and 664 (WS-MAN only, DASH standard)
AMT can be comfigured to support both HTTP and HTTPS at same time. In such configuration, it will listen to the following port: 16992, 16993, 623 and 624.
Redirection ports 16994 (tcp) and 16995 (tls) can be enabled or not depending on the configuration.

yanaimoyal commented May 9, 2017

Remote ports can't be changed. The only thing that can change are the following:
If AMT is configured in SSL, it will listen to port 16993 (both WS-MAN and Web interface) and 664 (WS-MAN only, DASH standard)
AMT can be comfigured to support both HTTP and HTTPS at same time. In such configuration, it will listen to the following port: 16992, 16993, 623 and 624.
Redirection ports 16994 (tcp) and 16995 (tls) can be enabled or not depending on the configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment