Intel Q3’17 ME 11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
Intel ID: INTEL-SA-00086
Product family: Various
Impact of vulnerability: Elevation of Privilege
Severity rating: Important
Original release: Nov 20, 2017
Last revised: Nov 20, 2017
Description:
In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of its Intel® Management Engine (ME), Intel® Trusted Execution Engine (TXE), and Intel® Server Platform Services (SPS) with the objective of enhancing firmware resilience.
As a result, Intel has identified several security vulnerabilities that could potentially place impacted platforms at risk. Systems using ME Firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are impacted.
Affected products:
6th, 7th & 8th Generation Intel® Core™ Processor Family
Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
Intel® Xeon® Processor Scalable Family
Intel® Xeon® Processor W Family
Intel® Atom® C3000 Processor Family
Apollo Lake Intel® Atom Processor E3900 series
Apollo Lake Intel® Pentium™
Celeron™ N and J series Processors
Based on the items identified through the comprehensive security review, an attacker could gain unauthorized access to platform, Intel® ME feature, and 3rd party secrets protected by the Intel® Management Engine (ME), Intel® Server Platform Service (SPS), or Intel® Trusted Execution Engine (TXE).
This includes scenarios where a successful attacker could:
Impersonate the ME/SPS/TXE, thereby impacting local security feature attestation validity.
Load and execute arbitrary code outside the visibility of the user and operating system.
Cause a system crash or system instability.
For more information, please see this Intel Support article
Intel® Manageability Engine Firmware 11.0.x.x/11.5.x.x/11.6.x.x/11.7.x.x/11.10.x.x/11.20.x.x
Intel Manageability Engine Firmware 8.x/9.x/10.x*
Server Platform Service 4.0.x.x
Intel Trusted Execution Engine 3.0.x.x
Intel has released a downloadable detection tool located at http://www.intel.com/sa-00086-support, which will analyze your system for the vulnerabilities identified in this security advisory.
Intel highly recommends checking with your system OEM for updated firmware. Links to system manufacturer pages concerning this issue can be found at http://www.intel.com/sa-00086-support
Intel highly recommends that all customers install the updated firmware and Intel® Capability License Service on impacted platforms.
theregister.co.uk have a write-up:
Intel finds critical holes in secret Management Engine hidden in tons of desktop, server chipsets
Bugs can be exploited to extract info, potentially insert rootkits
By Thomas Claburn in San Francisco 20 Nov 2017
Related AskWoody topics:
The earlier Intel ME topic (May 2017) & follow-up (August 2017)
