Summary:
In an effort to continuously improve the robustness of the Intel® Converged Security Management Engine (Intel® CSME), Intel has performed a security review of its Intel® CSME with the objective of continuously enhancing firmware resilience.
Description:
In an effort to continuously improve the robustness of the Intel® Converged Security Management Engine (Intel® CSME), Intel has performed a security review of its Intel® CSME with the objective of continuously enhancing firmware resilience.
As a result, Intel has identified security vulnerabilities that could potentially place affected platforms at risk.
Intel® Active Management Technology 3.x/4.x/5.x/6.x/7.x/8.x/9.x/10.x/11.x used in corporate PCs (Intel® vProTM, Intel® AMT), IOT devices, workstations and servers may be affected by these issues.
Affected products:
The issues affect Intel® Active Management Technology 3.x/4.x/5.x/6.x/7.x/8.x/9.x/10.x/11.x used in corporate PCs (Intel® vProTM, Intel® AMT), IOT devices, workstations and servers. These firmware versions may be found on certain products:
• Intel® Core™ 2 Duo vPro™ and Intel® Centrino™ 2 vPro™
• 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, & 8th Generation Intel® Core™ Processor Family
• Intel® Xeon® Processor E3-1200 v5 & v6 Product Family (Greenlow)
• Intel® Xeon® Processor Scalable Family (Purley)
• Intel® Xeon® Processor W Family (Basin Falls)
CVE ID
|
CVE Title
|
CVSSv3 severity
|
CVSSv3 Vectors
—|—|—|—
CVE-2018-3628
|
Buffer overflow in HTTP handler in Intel® Active Management Technology in Intel Converged Security Manageability Engine Firmware 3.x,4.x,5.x,6.x,7.x,8.x,9.x, 10.x,11.x may allow an attacker to execute arbitrary code via the same subnet
|
8.1 (High)
|
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2018-3629
|
Buffer overflow in event handler in Intel® Active Management Technology in Intel Converged Security Manageability Engine Firmware 3.x,4.x,5.x,6.x,7.x,8.x,9.x, 10.x,11.x may allow an attacker to cause a denial of service via the same subnet
|
7.5 (High)
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2018-3632
|
Memory corruption in Intel® Active Management Technology in Intel Converged Security Manageability Engine Firmware 6.x/7.x/8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 could be triggered by an attacker with local administrator permission on system
|
6.4 (Medium)
|
CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Recommendations:
Intel recommends that end users check with their system manufacturers and apply any available updates as soon as practical, based on the versions listed below, or higher:
Associated CPU Generation
|
Resolved Firmware versions or higher
—|—
4th Generation Intel® Core™ Processor Family
|
Intel® CSME 9.1.43
Intel® CSME 9.5.63
5th Generation Intel® Core™ Processor Family
|
Intel® CSME 10.0.57
6th Generation Intel® Core™ Processor Family
|
Intel® CSME 11.8.50
7th Generation Intel® Core™ Processor Family
|
Intel® CSME 11.8.50
8th Generation Intel® Core™ Processor Family
|
Intel® CSME 11.8.50
Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
|
Intel® CSME 11.8.50
Intel® Xeon® Processor Scalable Family
|
Intel® CSME 11.21.51
Intel® Xeon® Processor W Family
|
Intel® CSME 11.11.50
- The Intel® CSME firmware for the following products is no longer supported. These products will not receive a firmware update: Intel® Core™ 2 Duo vPro™, Intel® Centrino™ 2 vPro™, 1st Generation Intel® Core™, 2nd Generation Intel® Core™, 3rd Generation Intel® Core™.
Acknowledgements:
The following issues were found internally by Intel, CVE-2018-3628, CVE-2018-3629 and CVE-2018-3632. Intel would like to thank Yossef Kuszer.