Hacker News new | ask | show | jobs
by lclarkmichalek 3324 days ago
From the readme:

  In this state, AMT is not vulnerable to CVE-2017-5689.
1 comments
d33 3324 days ago
Thanks! Missed this part. Also, do you think it's a good idea to keep it in this state as opposed to updating in case Intel's new patches lock AMT down even further? This is the pattern I saw with Sony once - groups of users not updating their consoles because via exploiting it they could get more control over it.
link
lclarkmichalek 3324 days ago
You should be able to disable it in the BIOS. If you're not going to use it, I'd suggest disabling it. You could always reenable it later, should you find a need for it.
link
hsivonen 3324 days ago
Is disabling always possible? I don’t find UI to disable in recent Lenovo ThinkStation BIOS even though I’ve seen such option previously in ThinkPad BIOS.
link
lclarkmichalek 3324 days ago
Intel has provided a mitigation guide that goes through how to disable LMS (local manageability services), which AMT is a part of. Take a look: https://downloadmirror.intel.com/26754/eng/Intel-SA-00075%20...
link
hsivonen 3324 days ago
I meant disabling the ME-side stuff from BIOS. That’s for disabling the Windows-side component.
link
eikenberry 3324 days ago
I disabled it in bios on my Lenovo T450s back when this was first reported and the tool reports...

Intel AMT is present AMT is unprovisioned

So disabling it puts it in the same state.

link
kuschku 3324 days ago
I have no BIOS option at all for this, yet it’s enabled and provisioned. What do I do?
link
lclarkmichalek 3324 days ago
Well, firstly, don't connect your machine to networks you don't trust the members of :)

If your machine's manufacturer still supports the device, check if they have any firmware updates available. Hopefully they will have recent updates that include a fix for the AMT authn issue.

If you want to disable it, Intel has provided a mitigation guide which has instructions on disabling LMS (which AMT is part of): https://downloadmirror.intel.com/26754/eng/Intel-SA-00075%20.... I've not had to follow it myself, good luck if you do :)

I'm just repeating stuff I've read from MJG, take a look at his FAQ around this issue: https://mjg59.dreamwidth.org/48429.html

link
kuschku 3324 days ago
The machine is self-assembled, and the motherboard manufacturer doesn’t provide updates.

I don’t run windows, though.

> Well, firstly, don't connect your machine to networks you don't trust the members of :)

I’ve already had issues with the intel card, so I’m running on a RealTek ethernet card for now anyway. But that’s no long term solution.

link
hsivonen 3324 days ago
Now I’m curious how a self-assembled computer got into the provisioned state.
link