Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NSE for INTEL-SA-00075 / CVE-2017-5689 #876

wants to merge 1 commit into from


Copy link

@xorrbit xorrbit commented May 5, 2017

This tests Intel AMT for the authentication bypass vulnerability.

See for details.

Tested on a few vuln hosts, works as expected.

@nmap-bot nmap-bot closed this in 7bd54ab May 7, 2017
Copy link

3 modifications you should make:

  1. On Skylake and Kabilake systems (Intel ME version 11.x), the HTTP response header contains only the string AMT. the current script wont check the vulnerability on these systems and falsely report the system is not vulnerable.
  2. Port 16994 and 16995 are used for Intel AMT redirection and KVM protocol. So no point to send an HTTP request to these 2 TCP ports
  3. There may be configurations were Intel AMT Web interface is disabled. Therefore you should probably run the test on /wsman uri.

Copy link

ppietikainen commented May 8, 2017

In addition to "AMT", "Intel(R) Con. Management Engine 5.0.1" (and 5.0.2) could also be vulnerable. Supposedly < 6.0 is safe, but you never know until you try yourself. Maybe just check for Intel(R) or AMT in the early check?

Copy link

I think a simpler way to check would be to run the script only on port Intel AMT web server ports: 16992, 16993, 623 and 664 without checking the HTTP response server header field contains AMT or Intel Active management technology string.

Copy link

cldrn commented May 9, 2017

Thanks for the comments. Do you know if the remote ports can be changed in the configuration?

Copy link

Remote ports can't be changed. The only thing that can change are the following:
If AMT is configured in SSL, it will listen to port 16993 (both WS-MAN and Web interface) and 664 (WS-MAN only, DASH standard)
AMT can be comfigured to support both HTTP and HTTPS at same time. In such configuration, it will listen to the following port: 16992, 16993, 623 and 624.
Redirection ports 16994 (tcp) and 16995 (tls) can be enabled or not depending on the configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging this pull request may close these issues.

None yet

4 participants