Intel Active Management exploit

Discussion in 'Fujitsu' started by Rondo60, May 9, 2017.

  1. Rondo60

    Rondo60 Pen Pal - Newbie

    Messages:
    35
    Likes Received:
    3
    Trophy Points:
    16
  2. Starlight5

    Starlight5 So what if I'm crazy? The best people are.

    Messages:
    617
    Likes Received:
    183
    Trophy Points:
    56
    Restroom and ATIVQ like this.
  3. ATIVQ

    ATIVQ V⅁O⅄ Senior Member

    Messages:
    924
    Likes Received:
    493
    Trophy Points:
    76
    You can mitigate this particular exploit by disabling the built-in AMT webserver with Intel SCS.
     
    Restroom likes this.
  4. Restroom

    Restroom Pen Pal - Newbie

    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    6
    In addition, if you don't utilise Intel AMT (you'd know if you did; if your T935 came from your organisation READ NO FURTHER AND IGNORE), it can be disabled through your BIOS (first, go to this Fujitsu page, then select, left-to-right, 'Notebook PC'>'T Series'>'T935'>(little red 'GO' button); select 'Downloads'; install both the 'T935 BIOS' and 'PMU Firmware v1918' if not already updated. Then restart the machine, rapidly pressing the F2 key during restart, to get to the BIOS options, and use the (bottommost) on-screen controls to navigate until you find a setting called ~"Intel(TM) Active Management **** ———— ENABLED" and, according to those same controls, change the option to read "DISABLED". Then use that same controls list to "SAVE AND RESTART" or something similar. This has the effect of disabling the bit(mask) for low-level access to the AMT communication-channels, which, again, if this is a private machine, best practices dictate disabling anyhow.
     
    Rondo60 likes this.
  5. Rondo60

    Rondo60 Pen Pal - Newbie

    Messages:
    35
    Likes Received:
    3
    Trophy Points:
    16
    Thanks a lot, I will give it a try. A bit apprehensive to update firmware as I don't want to brick my machine.
     
  6. Restroom

    Restroom Pen Pal - Newbie

    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    6
    Understandable, but even if you don't wish to update your chipset drivers or BIOS, you can still disable AMT at the BIOS if it's not something you use; such an action would negate any need to try to resolve the issue via software fixes, as the entire feature(set) would be disabled at the hardware level prior to boot. I make a point to disable and "remove" such things (for example, I'm not using any of the vPro features on this machine, so I switch it off in BIOS and uninstall any of Intel's related software/some drivers in streamlining the software/OS/ALs, though it's never as simple as this sounds) as part of my uh whatever-it's-called self-deployment trimming. Not only does this process contribute to the reduction in overhead allowing my now-6½-year-old to perform within my desired standards, but as I **** things up along the way with some frequency and am forced to learn how to fix them, so am I enriched by the process!
     
Loading...

Share This Page