cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Problem this snippet solves:

This code snippet detects and blocks clients attempting to exploit Intel AMT vulnerability.

How to use this snippet:

I intentionally developed two code snippets that can be used on a "Layer 4 Any Virtual Server". All traffic must go through this Virtual Server to be able to detect the attempts to exploit the Intel AMT vulnerability.

With the first code snippet, you can trap all attempts to access Intel AMT web services :

when CLIENT_ACCEPTED {
    switch [TCP::remote_port] {
        "16992" -
        "16993" -
        "1699" -
        "16995" -
        "623" -
        "664" {
            log local0. "Intel AMT access attempt made by [IP::client_addr]"
            discard
            return
        }
    }
}

Basically, in this scenario, we are looking for attempts to connect on specific ports used by Intel AMT. But in the other hand, this check is not enough, so I decided to add the second code snippet :

when SERVER_CONNECTED {
  TCP::collect
}
when SERVER_DATA {
  set payload [TCP::payload]
  if { $payload starts_with "HTTP" and $payload contains "Server: AMT" } {
    log local0. "Intel AMT access attempt made by [IP::client_addr]"
    discard
    return
  }
}

The main pain point regarding This irule is performance issues. I do not had the opportunity to test it, but I know that TCP::collect will impact performances.

Now, I enhance the irule by combining both code snippet like this :

when CLIENT_ACCEPTED {
    set attempt 0
    switch [TCP::remote_port] {
        "16992" -
        "16993" -
        "1699" -
        "16995" -
        "623" -
        "664" {
            log local0. "Intel AMT access attempt made by [IP::client_addr]"
            set attempt 1
        }
    }
}

when SERVER_CONNECTED {
  if { [info exists attempt] and $attempt } {
    TCP::collect
  }
}
when SERVER_DATA {
  set payload [TCP::payload]
  if { $payload starts_with "HTTP" and $payload contains "Server: AMT" } {
    log local0. "Intel AMT access attempt made by [IP::client_addr]"
    discard
    return
  }
}

This way, I'm able to activate the TCP collection only when I have a suspicious connection attempt.

Code :

when CLIENT_ACCEPTED {
    set attempt 0
    switch [TCP::remote_port] {
        "16992" -
        "16993" -
        "1699" -
        "16995" -
        "623" -
        "664" {
            log local0. "Intel AMT access attempt made by [IP::client_addr]"
            set attempt 1
        }
    }
}

when SERVER_CONNECTED {
  if { [info exists attempt] and $attempt } {
    TCP::collect
  }
}
when SERVER_DATA {
  set payload [TCP::payload]
  if { $payload starts_with "HTTP" and $payload contains "Server: AMT" } {
    log local0. "Intel AMT access attempt made by [IP::client_addr]"
    discard
    return
  }
}

Tested this on version:

11.0
Version history
Last update:
‎16-May-2017 14:03
Updated by:
Contributors