I don't see a QID for this. Is Qualys going to release something?
Intel® Product Security Center
Intel® Management Engine Critical Firmware Update (Intel SA-00086)
QID: 38693 Intel Active Management Technology Multiple Remote Code Execution VulnerabilitiesQID Detection Logic (Un-authenticated):Intel AMT when enabled exposes its version remotely on TCP ports 16992, 16993. This QID matches vulnerable versions based on the exposed information.
There are a few things to take note of regarding this signature and they are as follows:1. The detections for this QID relate to a remote attack as stated in the title "...Multiple Remote Code Execution Vulnerabilities."2. If TCP ports 16992 and 16993 are not open, the target is not vulnerable to a remote attack.3. This is considered a Potential vulnerability because 'manual' intervention is required and if the target is not remotely vulnerable, the scanner cannot determine if someone has local access to the system which is required to exploit a system that does not have the Intel patches applied.
Excerpt from reference provided in this QID:
Note: CVEs referenced in this advisory require Local or Physical access to the system potentially being exploited (AV:L in the CVSSv3 Vectors column) with the exception of CVE-2017-5712. CVE-2017-5712 is potentially exploitable over a network (AV:N).
For an explanation of the conditions where Local access vs. Physical access is required to exploit a vulnerability see the FAQ section listed in the Intel Customer Support article http://www.intel.com/sa-00086-support
QID 38693 "Intel Active Management Technology Multiple Remote Code Execution Vulnerabilities" was released into production on 11/24/2017.
I am not seeing detection's on this QID even though i have confirmed vulnerable workstations that have been tested with Intel's provided assessment tool.
I've seen quite a few QID's using PANOS when it doesn't seem to apply, very confusing and frustrating.
Why does this QID have PANOS listed for Authentication, it's very confusing. Is this just a signature to check our FWs are vulnerable or not? I have used this QID to scan Servers and Workstations and I get no results when I know at least a few of them are vulnerable (according to the Intel Detection Tool).
I've asked Support to look at this.
Do any of you have a support case for this? If yes, please direct message it to me or email me at community-manager at Qualys, and I will escalate with Support. Thanks.
I have an open case on this.
Thank you! I escalated your case.
Be sure your firewall isn't blocking TCP ports 16992, 16993 -- both are required by the detection. I don't know whether this will solve everyone's issue, but it will solve it for at least one of the tickets filed.
I do not agree that we should open up the host firewall for proper detection. On Win10 the default firewall appears to have these ports blocked.
Its unfortunate that the agent does not pick this up. And since we do use the agent, we typically do not do remote scans. But, our host FW does have a rule allowing or scanners through, so I will test this out on a few machines that we know are vulnerable.
This appears to only be detected via remote/unauthenticated scanning. so if your host firewall blocks those ports you will not get a detection. However, if a threat actor compromises a system and can get onto the host they could exploit this vulnerability.
I do not understand why the detection logic is not using authenticated detection methods.
Intel AMT is a hardware/firmware based out-of-band access technology, accessible independently of the host operating system. It is therefore not appropriate to provide this as an authenticated detection as authenticated access to the host does not guarantee access to the Intel AMT interface. Similarly access to the Intel AMT interface is possible even when the host OS is in Sleep mode so while an authenticated scan would fail the remote scan would still detect the vulnerability.
Retrieving data ...