CVE-2017-5689

What Is Intel AMT?

Intel Active Management Technology (AMT) is an out-of-band management capability built into Intel vPro processors. AMT runs on Intel's Management Engine (ME) — a separate microcontroller with its own firmware that operates independently of the host CPU and operating system, continuing to function even when the main OS is powered off, crashed, or reinstalled. AMT enables IT administrators to remotely manage computers: full keyboard/video/mouse (KVM) control, hardware power management, remote disk boot, and system monitoring — all bypassing the host OS entirely. AMT communicates over dedicated network ports (16992/16993) that remain active independent of OS state. A CVE-2017-5689 compromise gives an attacker the same capabilities as physical console access to the machine — completely invisible to the host OS.

Overview

CVE-2017-5689 is a critical authentication bypass in Intel AMT, Intel Small Business Technology (SBT), and Intel Standard Manageability. A flaw in the HTTP Digest authentication implementation — comparing response hashes using a length derived from the user-supplied value rather than the expected value — allows an attacker to authenticate as any user, including admin, by sending an empty or trivially short response hash. An unauthenticated attacker with network access to AMT ports (16992/16993) gains full remote KVM console, disk, and power management access to the target machine, operating entirely outside and invisible to the host operating system. Fixed via Intel firmware updates in May 2017 (INTEL-SA-00075). CISA added CVE-2017-5689 to the KEV catalog in January 2022.

Affected Versions

Not all Intel processors include AMT; AMT is present primarily on Intel Core vPro, Intel Xeon, and some Core i5/i7 business-class systems. Consumer CPUs typically include ME but not the full AMT feature set.

Technical Details

Root Cause: strncmp Length Derived from Attacker-Controlled Response

CVE-2017-5689 exploits a fundamental logic error in Intel AMT's HTTP Digest authentication implementation. HTTP Digest authentication uses a challenge-response mechanism:

1. Server sends a nonce (random challenge)
2. Client computes H(username:realm:password) and derives a response hash
3. Server verifies the response by computing the expected hash independently and comparing

The bug: Intel AMT's comparison uses the length of the user-provided response parameter as the comparison length for strncmp() (or equivalent):

// Vulnerable (conceptual):
strncmp(expected_hash, user_response, strlen(user_response))

If the attacker sends an empty string or a single-byte response, strlen(user_response) is 0 or 1, and strncmp() returns 0 (equal) for any expected hash — authentication always succeeds.

Impact:

• Attacker sends an AMT HTTP authentication request with response="" (empty string)
• AMT evaluates the comparison as success regardless of the password
• Full AMT administrator access granted — KVM, power control, disk, provisioning

Out-of-OS access: AMT operates below and independent of the operating system; access via CVE-2017-5689 bypasses all OS authentication, host-based firewalls, IDS/IPS, EDR agents, and logs. Compromise is invisible to OS-level security tools.

Attack Characteristics

Discovery

Discovered by security researchers at Embedi (subsequently acquired) who reported to Intel in February 2017. Intel released INTEL-SA-00075 on May 1, 2017; Embedi published technical details on May 5, 2017.

Exploitation Context

• Silent, OS-transparent access: CVE-2017-5689 is exceptional because exploitation is invisible to the compromised machine's operating system, security software, and logs; AMT operates as a dedicated hardware subsystem; this makes it ideal for persistent, undetectable nation-state implants
• Physical console equivalent: AMT KVM access provides the equivalent of sitting at the keyboard of the target machine — an attacker can reinstall the OS, inject BIOS-level implants, install bootkit malware, or access disk contents regardless of full-disk encryption
• Enterprise deployment scale: AMT is deployed in millions of corporate workstations and servers; organizations with large Intel vPro fleets had significant exposure if AMT was provisioned and AMT ports were reachable
• Nation-state interest: The ability to access machines below OS level, persist through OS reinstalls, and remain invisible to EDR makes AMT vulnerabilities priority targets for intelligence agencies; CVE-2017-5689's KEV inclusion reflects confirmed exploitation
• AMT provisioning required: Exploitation requires AMT to be provisioned and the AMT network ports to be accessible; many enterprise deployments provision AMT for manageability, exposing this attack surface
• CISA KEV (2022): Added January 28, 2022 reflecting active exploitation against enterprise and government targets

Remediation

1. Apply Intel AMT firmware update (INTEL-SA-00075) — update Intel ME firmware to the patched version via your OEM (Dell, HP, Lenovo, etc.); AMT firmware updates are distributed by hardware vendors, not Windows Update. Check your OEM's driver and firmware support page.

2. Disable AMT if not required — if AMT is not actively used for remote management, disable it in the BIOS/UEFI setup (Intel ME Configuration → Manageability Feature Selection → Disabled) and unprovision AMT.

3. Block AMT ports at network level — even if AMT is in use, ensure AMT ports (TCP 16992, 16993) are not accessible from untrusted networks; these ports should only be reachable from the dedicated out-of-band management network.

4. Audit AMT provisioning state — use Intel's INTEL-SA-00075 Discovery Tool (available from Intel) to identify which systems in your environment have AMT provisioned and potentially affected; unprovision AMT on unmanaged or unnecessary systems.

5. Deploy OOB management network isolation — if using AMT for legitimate remote management, segregate AMT traffic on a dedicated VLAN accessible only from the management workstations, completely separate from production and user traffic.