Mitigate Intel AMT vulnerability - CVE-2017-5689

Problem this snippet solves:

This code snippet detects and blocks clients attempting to exploit Intel AMT vulnerability.

How to use this snippet:

I intentionally developed two code snippets that can be used on a "Layer 4 Any Virtual Server". All traffic must go through this Virtual Server to be able to detect the attempts to exploit the Intel AMT vulnerability.

With the first code snippet, you can trap all attempts to access Intel AMT web services :

when CLIENT_ACCEPTED {
    switch [TCP::remote_port] {
        "16992" -
        "16993" -
        "1699" -
        "16995" -
        "623" -
        "664" {
            log local0. "Intel AMT access attempt made by [IP::client_addr]"
            discard
            return
        }
    }
}

Basically, in this scenario, we are looking for attempts to connect on specific ports used by Intel AMT. But in the other hand, this check is not enough, so I decided to add the second code snippet :

when SERVER_CONNECTED {
  TCP::collect
}
when SERVER_DATA {
  set payload [TCP::payload]
  if { $payload starts_with "HTTP" and $payload contains "Server: AMT" } {
    log local0. "Intel AMT access attempt made by [IP::client_addr]"
    discard
    return
  }
}

The main pain point regarding This irule is performance issues. I do not had the opportunity to test it, but I know that TCP::collect will impact performances.

Now, I enhance the irule by combining both code snippet like this :

when CLIENT_ACCEPTED {
    set attempt 0
    switch [TCP::remote_port] {
        "16992" -
        "16993" -
        "1699" -
        "16995" -
        "623" -
        "664" {
            log local0. "Intel AMT access attempt made by [IP::client_addr]"
            set attempt 1
        }
    }
}

when SERVER_CONNECTED {
  if { [info exists attempt] and $attempt } {
    TCP::collect
  }
}
when SERVER_DATA {
  set payload [TCP::payload]
  if { $payload starts_with "HTTP" and $payload contains "Server: AMT" } {
    log local0. "Intel AMT access attempt made by [IP::client_addr]"
    discard
    return
  }
}

This way, I'm able to activate the TCP collection only when I have a suspicious connection attempt.

Code :

when CLIENT_ACCEPTED {
    set attempt 0
    switch [TCP::remote_port] {
        "16992" -
        "16993" -
        "1699" -
        "16995" -
        "623" -
        "664" {
            log local0. "Intel AMT access attempt made by [IP::client_addr]"
            set attempt 1
        }
    }
}

when SERVER_CONNECTED {
  if { [info exists attempt] and $attempt } {
    TCP::collect
  }
}
when SERVER_DATA {
  set payload [TCP::payload]
  if { $payload starts_with "HTTP" and $payload contains "Server: AMT" } {
    log local0. "Intel AMT access attempt made by [IP::client_addr]"
    discard
    return
  }
}

Tested this on version:

11.0
Updated Jun 06, 2023
Version 2.0

Was this article helpful?

No CommentsBe the first to comment