Summary:
In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of our Intel® Management Engine (ME), Intel® Server Platform Services (SPS), and Intel® Trusted Execution Engine (TXE) with the objective of enhancing firmware resilience.
As a result, Intel has identified security vulnerabilities that could potentially place impacted platforms at risk.
Description:
In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of its Intel® Management Engine (ME), Intel® Trusted Execution Engine (TXE), and Intel® Server Platform Services (SPS) with the objective of enhancing firmware resilience.
As a result, Intel has identified several security vulnerabilities that could potentially place impacted platforms at risk. Systems using ME Firmware versions 6.x/7.x/8.x/9.x/10.x//11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are impacted.
Affected products:
Based on the items identified through the comprehensive security review, an attacker could gain unauthorized access to platform, Intel® ME feature, and 3rd party secrets protected by the Intel® Management Engine (ME), Intel® Server Platform Service (SPS), or Intel® Trusted Execution Engine (TXE).
This includes scenarios where a successful attacker could:
If the INTEL-SA-00086 Detection Tool reported your system being vulnerable, please check with your system manufacturer for updated firmware. Links to system manufacturer pages concerning this issue can be found at <http://www.intel.com/sa-00086-support>.
Note: CVEs referenced in this advisory require Local or Physical access to the system potentially being exploited (AV:L in the CVSSv3 Vectors column) with the exception of CVE-2017-5712. CVE-2017-5712 is potentially exploitable over a network (AV:N).
For an explanation of the conditions where Local access vs. Physical access is required to exploit a vulnerability see the FAQ section listed in the Intel Customer Support article <http://www.intel.com/sa-00086-support>
More information on the definition of CVSSv3 vectors in general (e.g. AV:L, AV:N) and the other vectors listed in this advisory consult <https://first.org/cvss/>
If you need further assistance, contact Customer Support to submit an online service request.
Recommendations:
The following CVE IDs are covered in this security advisory: