Intel Q3’17 ME 6.x/7.x/8.x/9.x/10.x/11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update

Summary:

In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of our Intel® Management Engine (ME), Intel® Server Platform Services (SPS), and Intel® Trusted Execution Engine (TXE) with the objective of enhancing firmware resilience.

As a result, Intel has identified security vulnerabilities that could potentially place impacted platforms at risk.

Description:

In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of its Intel® Management Engine (ME), Intel® Trusted Execution Engine (TXE), and Intel® Server Platform Services (SPS) with the objective of enhancing firmware resilience.

As a result, Intel has identified several security vulnerabilities that could potentially place impacted platforms at risk. Systems using ME Firmware versions 6.x/7.x/8.x/9.x/10.x//11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are impacted.

Affected products:

• 1st, 2nd, 3rd, 4th, 5th, 6th, 7th & 8th Generation Intel® Core™ Processor Family
• Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
• Intel® Xeon® Processor Scalable Family
• Intel® Xeon® Processor W Family
• Intel® Pentium® Processor G Series
• Intel® Atom® C3000 Processor Family
• Apollo Lake Intel® Atom Processor E3900 series
• Apollo Lake Intel® Pentium™
• Celeron™ G, N and J series Processors

Based on the items identified through the comprehensive security review, an attacker could gain unauthorized access to platform, Intel® ME feature, and 3rd party secrets protected by the Intel® Management Engine (ME), Intel® Server Platform Service (SPS), or Intel® Trusted Execution Engine (TXE).

This includes scenarios where a successful attacker could:

• Impersonate the ME/SPS/TXE, thereby impacting local security feature attestation validity.
• Load and execute arbitrary code outside the visibility of the user and operating system.
• Cause a system crash or system instability.
• For more information, please see this Intel Support article

If the INTEL-SA-00086 Detection Tool reported your system being vulnerable, please check with your system manufacturer for updated firmware. Links to system manufacturer pages concerning this issue can be found at <http://www.intel.com/sa-00086-support&gt;.

Note: CVEs referenced in this advisory require Local or Physical access to the system potentially being exploited (AV:L in the CVSSv3 Vectors column) with the exception of CVE-2017-5712. CVE-2017-5712 is potentially exploitable over a network (AV:N).

For an explanation of the conditions where Local access vs. Physical access is required to exploit a vulnerability see the FAQ section listed in the Intel Customer Support article <http://www.intel.com/sa-00086-support&gt;

More information on the definition of CVSSv3 vectors in general (e.g. AV:L, AV:N) and the other vectors listed in this advisory consult <https://first.org/cvss/&gt;

If you need further assistance, contact Customer Support to submit an online service request.

Recommendations:

The following CVE IDs are covered in this security advisory: