Vulnerability Note VU#491375
Intel Active Management Technology (AMT) does not properly enforce access control
Technologies based on Intel Active Management Technology may be vulnerable to remote privilege escalation, which may allow a remote, unauthenticated attacker to execute arbitrary code on the system.
CWE-284: Improper Access Control - CVE-2017-5689
Intel offers a number of hardware-based remote management technologies meant for maintenance of computer systems. These technologies include Intel® Active Management Technology (AMT), Intel® Small Business Technology (SBT), and Intel® Standard Manageability, and the Intel Management Engine.
A remote, unauthenticated attacker may be able to gain access to the remote management features of the system. The execution occurs at a hardware system level regardless of operating system environment and configuration.
Apply a firmware update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Dell||Affected||02 May 2017||09 May 2017|
|F5 Networks, Inc.||Affected||02 May 2017||15 May 2017|
|Fujitsu||Affected||04 May 2017||11 May 2017|
|Hewlett Packard Enterprise||Affected||02 May 2017||05 May 2017|
|HP Inc.||Affected||-||08 May 2017|
|Intel Corporation||Affected||-||02 May 2017|
|Lenovo||Affected||02 May 2017||08 May 2017|
|Toshiba America Information Systems, Inc.||Affected||-||22 May 2017|
|Cisco||Not Affected||02 May 2017||03 May 2017|
|ACCESS||Unknown||02 May 2017||02 May 2017|
|Acer||Unknown||02 May 2017||02 May 2017|
|Alcatel-Lucent||Unknown||02 May 2017||02 May 2017|
|AsusTek Computer Inc.||Unknown||02 May 2017||02 May 2017|
|AT&T||Unknown||02 May 2017||02 May 2017|
|Avaya, Inc.||Unknown||02 May 2017||02 May 2017|
CVSS Metrics (Learn More)
Intel thanks Maksim Malyutin from Embedi for reporting this issue and coordinating with Intel.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2017-5689
- Date Public: 01 May 2017
- Date First Published: 02 May 2017
- Date Last Updated: 22 May 2017
- Document Revision: 73
If you have feedback, comments, or additional information about this vulnerability, please send us email.