Support Information for INTEL-SA-00709 Intel® Active Management Technology and Intel® Standard Manageability Advisory
INTEL-SA-00709 Intel® Active Management Technology (Intel® AMT) and Intel® Standard Manageability Advisory
Related Content
This article is intended for IT practitioners. Individual users should get specific guidance from their system manufacturers.
CVE-2022-30601 and CVE-2022-30944 Overview
CVE-2022-30601 and CVE-2022-30944 may be exposed when an Intel® AMT and Intel® Standard Manageability deployment choice is made to use non-TLS (Transport Layer Security). Deployment security best practices related to these two CVEs are discussed in the documents below.
Recommendations for CVE-2022-30601 and CVE-2022-30944
Intel recommends users follow existing security best practices and alternate security controls, including: Enable and use Transport Layer Security (TLS) for Intel® AMT and Intel® Standard Manageability. Intel also recommends all Intel® AMT and Intel® Standard Manageability customers to migrate to TLS ports. Future Intel® AMT and Intel® Standard Manageability implementations will no longer have non-TLS as an option. To facilitate this transition for customers who may be currently using non-TLS ports, Intel will maintain support for non-TLS TCP/IP ports (as well as TLS) in Intel® AMT and Intel® Standard Manageability through 12th Generation Intel® Core™ processor-based platforms. Only TLS ports will be supported in Intel® AMT and Intel® Standard Manageability on platforms following 12th Generation Intel® Core™ processors generation.
Additional Details for CVE-2022-30601
Intel® AMT and Intel® Standard Manageability supports HTTP basic and HTTP digest authentication. When used without TLS, the password in basic or digest mode is susceptible to intercept and replay of the Intel® AMT and Intel® Standard Manageability credentials to the firmware.
- For users that have received a system that was not configured using Intel® EMA, Intel recommends following the specific steps needed to verify that TLS is enabled (available here). This will ensure that Intel® AMT and Intel® Standard Manageability is configured correctly after the device is delivered.
- Intel® AMT and Intel® Standard Manageability support configuration was designed to enable TLS security without having to be unconfigured and reconfigured. Note that software tools customers use to configure and use Intel® AMT and Intel® Standard Manageability must also support TLS.
- Intel® Endpoint Management Assistant (Intel® EMA) configures devices to use TLS.
Additional Details for CVE-2022-30944
Intel® AMT and Intel® Standard Manageability supports HTTP basic and HTTP digest authentication. When used without TLS, the raw payloads of transactions over port 16992 are exposed in the operating system’s memory as plain text, thereby exposing the Intel® AMT and Intel® Standard Manageability credentials.
- Intel® AMT or Intel® Standard Manageability is susceptible to information retrieval via a privileged user being able to directly access the unencrypted Intel® AMT or Intel® Standard Manageability password in the operating system memory.
- To mitigate this issue, Intel® AMT and Intel® Standard Manageability v14 or higher and remote management software such as Intel® EMA is recommended when activating Intel® AMT and Intel® Standard Manageability as they use TLS encryption for activation and communicate to Intel® AMT and Intel® Standard Manageability through the operating system-based software stack.
- Intel® AMT and Intel® Standard Manageability firmware versions 11.8.x through 12.x do not support TLS for in-band activation.
- If adding users or changing user credentials of Intel® AMT or Intel® Standard Manageability, only use a remote console over Intel® AMT or Intel® Standard Manageability with TLS.
CVE-2022-28697 Overview
CVE-2022-28697 may be exposed when the BIOS password is not set to protect the Intel® AMT configuration in Intel® Management Engine BIOS Extension (Intel® MEBx). BIOS password security best practices are discussed in the document below:
Recommendations for CVE-2022-28697
Intel recommends users follow existing security best practices and alternate security controls, including: Enable BIOS password protection on the Intel® Management Engine BIOS Extension (Intel® MEBX). Set a non default password for Intel® AMT or Intel® Standard Manageability immediately following receipt of the system from the systems manufacturer.
Additional Details for CVE-2022-28697
An unauthenticated user with physical access to the platform may be able to provision AMT without the knowledge of the end-user.
Note that steps below are for reference and may vary by system manufacturer.
- A user can verify if Intel® AMT or Intel® Standard Manageability has been configured by accessing the MEBX during boot.
- If the MEBX was used to configure Intel® AMT or Intel® Standard Manageability, the default username and password would have to be changed to another value.
- If a user cannot access the menu due to an unknown password, Intel® AMT or Intel® Standard Manageability would need to be factory reset to restore the default username and password to ensure Intel® AMT or Intel® Standard Manageability are not configured. Contact the systems manufacturer on how to perform such a reset.
- If a user changes the password and logs in, they can go to the Intel® AMT or Intel® Standard Manageability configuration menu and check to see if the “Activate Network Access” option is available.
- If the menu option is present, that indicates that Intel® AMT or Intel® Standard Manageability are not configured.
- If the menu option is not present, then Intel® AMT or Intel® Standard Manageability have been configured on that device.
- Intel® AMT or Intel® Standard Manageability can be unconfigured from this same menu. This will ensure that Intel® AMT or Intel® Standard Manageability is configured correctly after the device is delivered.