Intel AMT fw 보안 문제는 대부분의 Enterprise Server 시스템에 영향을 주지 않는다.
일부 영향을 받는 시스템들에 대하여는 각 제조사에서 패치를 제공하고 있다.
해외에서 발표된 보안 취약 관련 뉴스:
------------------------------------------------------
INTEL AMT SECURITY ISSUE LETS ATTACKERS BYPASS LOGIN CREDENTIALS IN CORPORATE LAPTOPS
A Security Issue in Intel’s Active Management Technology (AMT)
https://business.f-secure.com/intel-amt-security-issue
------------------------------------------------------
AMT 기능은 기본적으로는 Client 에 사용되는 기술로, 서버 동작에 영향을 주지 않는다.
원격 관리(Remote Management)를 위해 일부 기능이 Intel Management Engine(IME)에 사용됨에 따라
연관된 보안 취약 부분은 기 수정이 진행되어 패치를 배포 중에 있다.(하단 게시판 참조)
------------------------------------------------------
Intel AMT Escalation of Privilege Vulnerability (CVE-2017-5689)
http://h22208.www2.hpe.com/eginfolib/securityalerts/CVE-2017-5689-Intel/CVE-2017-5689.html
This vulnerability allows an unprivileged network or local attacker to gain control of the remote manageability features of Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT) platforms. This vulnerability affects Intel’s AMT firmware and the products identified as “not impacted” do not use AMT firmware.
Dell EMC Response to Intel AMT Advisory (INTEL-SA-00075) and CVE-2017-5689 (Common Vulnerabilities and Exposures)
https://www.dell.com/support/article/kr/ko/krdhs1/sln306252/dell-emc-response-to-intel-amt-advisory-intel-sa-00075-and-cve-2017-5689-common-vulnerabilities-and-exposures-?lang=en
Dell Engineering has determined that the vast majority of Enterprise products do not support AMT with the exception of the T20 & T30 platforms. All other Dell PowerEdge platforms and remote management controllers are unaffected.
Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Remote Privilege Escalation
https://support.lenovo.com/kr/en/product_security/len-14963
System x -Lenovo- Not affected
System x (IBM)- Not affected
Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel® Server Platform Services (Intel® SPS), or Intel® Xeon® Processor E3 and Intel® Xeon® Processor E5 workstations utilizing Intel® SPS firmware.
------------------------------------------------------
AMT 이슈 관련 Intel 발표 가이드:
------------------------------------------------------
Security Best Practices of Intel® Active Management Technology Q&A December 2017
Below is a list of Security Advisories that apply to Intel Active Management Technology
INTEL-SA-00075 Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege
INTEL-SA-00081 Intel® AMT Clickjacking Vulnerability
INTEL-SA-00082 Intel AMT® Upgradable to Vulnerable Firmware
INTEL-SA-00093 Frame replay vulnerability in Wi-Fi subsystem in Intel® Dual-Band and TriBand
INTEL-SA-00086 Intel Q3’17 ME 11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
Summary:
In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of our Intel® Management Engine (ME), Intel® Server Platform Services (SPS), and Intel® Trusted Execution Engine (TXE) with the objective of enhancing firmware resilience.
------------------------------------------------------
IME 관련 수정 내용:
------------------------------------------------------
HPE
CUSTOMER BULLETIN: (Revision) HPE Servers - Some Systems Using Certain Intel Processors Are Vulnerable to Local Denial of Service and Execution of Arbitrary Code
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00036596en_us
For all impacted ProLiant and Synergy Gen10 systems:
Intel Xeon Processor Scalable Family
1.First, update the System ROM to version 1.26 (or later).
2.Then, update the Innovation Engine to version 0.1.5.2 (or later).
3.Finally, update the Server Platform Services (SPS) firmware to version 04.00.04.288.
4.As a last step, update to the Gen10 System Recovery Set.
For the ProLiant DL20 Gen9, and the ProLiant ML30 Gen9 server:
Server Platform Services (SPS) Firmware, and choose version 04.01.04.054 (or later).
For the ProLiant m710x Server Cartridge:
HPE ProLiant m710x Server Cartridge ME Firmware Version 10/17/2017
------------------------------------------------------