I have a feeling that ...
... this is going to get ugly exponentially.
Microsoft is warning against a new way to exploit Intel's Active Management Technology, this time to pass messages between infected machines over business LANs. So far, Microsoft says, the attack (which uses a variant of 2016's Platinum file transfer tool) has only been spotted in Asia, and fortunately it can only be exploited …
It seems whenever a new class of vulnerabilities is found, security researchers all start looking closely at it, and a flood of vulnerabilities follows. The trickle is just starting, the flood begins in let's say September or so. Better not plan on any triple digit uptimes for any servers you manage, you're going to be updating the firmware a lot more often than that!
Yes, this is just the serial port. Many of those systems have the ability to load iso-images as CD-ROMs... since Windows automatically mounts new CD-ROMs it sees and executes code from them, that's easily wormable.
Simply put, the more complexity you put into a system the less secure it'll get. Here you even have hidden complexity, as many people will not know about that feature. Since it's also on your main network interface, you cannot even go the sane way and use a dedicated control network. (or in fact have it on a separate switch and just activate the ports you want to do maintainance on)
Here you even have hidden complexity, as many people will not know about that feature. Since it's also on your main network interface, you cannot even go the sane way and use a dedicated control network. (or in fact have it on a separate switch and just activate the ports you want to do maintainance on)
I would've thought that leaving on-board NIC(s) unused and using separate NIC would neuter this approach as it would seem logical that AMT would rely on the PHY built into the PCH on the motherboard. Then again if your add-on NIC is also Intel based (quite likely as many Realteks for example are, well bit crap to be honest) perhaps it is not beyond reach of AMT tentacles.
Likewise, if you did actually want to use AMT, you could at least have that on separate switch and/or VLAN and use additional NIC for non-management traffic.