I am looking to find some concrete information on what steps will need to be taken in order to mitigate the AMT vulnerability (CVE-2017-5689) in our environment and would appreciate any help/information that can be provided.
- We have never provisioned Intel AMT. Does this mean we are not vulnerable, or does the existence of AMT in the BIOS automatically make a device vulnerable to exploit?
- I do see the UNS and LMS services running on well over a hundred devices in our environment. Does any potential exploit target these services? Will simply disabling these services mitigate any vulnerability?
- We have many devices that I am sure have AMT that appear not to have these services even installed. Are they vulnerable?
My goal is to not have to update the BIOS on 1500 or more systems, especially since we have never made use of AMT. If I can simply disable services on devices by script within Windows, and ignore devices that don't have the services, that is the ideal outcome.
Thank you for any help provided.
Sean