In response to problems identified by outside researchers, Intel conducted a comprehensive security review of the Intel® Management Engine (ME), Intel® Server Platform Platform Services (SPS) and Intel® Trusted Execution Engine (TXE) with the goal of improving endurance of the firmware.

As a result, Intel has identified security vulnerabilities that could potentially put the impacted platforms at risk.

The CVEs of the vulnerabilities are the following:

CVE ID

CVSSv3 Vectors

CVE-2017-5705

8.2 High

CVE-2017-5708

7.5 High

CVE-2017-5711

6.7 Moderate

CVE-2017-5712

7.2 High

Information about the affected system

Systems that use ME Firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0 and TXE version 3.0 are affected.

Affected products:

  • 6th, 7th & 8th Generation Intel® Core™ Processor Family
  • Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
  • Intel® Xeon® Processor Scalable Family
  • Intel® Xeon® Processor W Family
  • Intel® Atom® C3000 Processor Family
  • Apollo Lake Intel® Atom Processor E3900 series
  • Apollo Lake Intel® Pentium™
  • Celeron™ N and J series Processors

How to know if we are vulnerable?

Intel released a downloadable detection tool located at http://www.intel.com/sa-00086-support, which will scan your system for vulnerabilities identified in this security advisory.

What impact would it have if the vulnerability is exploited?

Taking advantage of this security flaw an attacker in the local network could impersonate the ME / SPS / TXE, which affects the validity of the certification of the local security function, load and execute arbitrary code outside the visibility of the user and the operating system or cause a system failure or system instability.

What to do if we have the vulnerability?

Run the utility that Intel provided and create a complete database of impacted systems.

Intel strongly recommends that all customers install the updated firmware and the Intel® Capability license service on impacted platforms.

Once you have patches, create a schedule for patch implementations and reboots.

Update the components of the Intel ME host operating system as soon as possible, such as the Intel management engine interface driver, the Intel (R) Management & Security Status software, the LMS service.

Source:

https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00086&languageid=en-fr

https://blog.rapid7.com/2017/11/21/intel-sa-00086-security-bulletin-for-intel-management-engine-me-and-advanced-management-technology-amt-vulnerabilities-what-you-need-to-know/

http://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-cve-2017-5689-intel-management-engine-vulnerability/