Intel Q1’18 Intel® Active Management Technology 9.x/10.x/11.x Security Review Cumulative Update

Summary:

In an effort to continuously improve the robustness of the Intel® Converged Security Management Engine (Intel® CSME), Intel has performed a security review of its Intel® CSME with the objective of continuously enhancing firmware resilience.

Description:

In an effort to continuously improve the robustness of the Intel® Converged Security Management Engine (Intel® CSME), Intel has performed a security review of its Intel® CSME with the objective of continuously enhancing firmware resilience.

As a result, Intel has identified security vulnerabilities that could potentially place affected platforms at risk.

Intel® Active Management Technology 3.x/4.x/5.x/6.x/7.x/8.x/9.x/10.x/11.x used in corporate PCs (Intel® vProTM, Intel® AMT), IOT devices, workstations and servers may be affected by these issues.

Affected products:

The issues affect Intel® Active Management Technology 3.x/4.x/5.x/6.x/7.x/8.x/9.x/10.x/11.x used in corporate PCs (Intel® vProTM, Intel® AMT), IOT devices, workstations and servers. These firmware versions may be found on certain products:

• Intel® Core™ 2 Duo vPro™ and Intel® Centrino™ 2 vPro™

• 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, & 8th Generation Intel® Core™ Processor Family

• Intel® Xeon® Processor E3-1200 v5 & v6 Product Family (Greenlow)

• Intel® Xeon® Processor Scalable Family (Purley)

• Intel® Xeon® Processor W Family (Basin Falls)

CVE ID

|

CVE Title

|

CVSSv3 severity

|

CVSSv3 Vectors

—|—|—|—

CVE-2018-3628

|

Buffer overflow in HTTP handler in Intel® Active Management Technology in Intel Converged Security Manageability Engine Firmware 3.x,4.x,5.x,6.x,7.x,8.x,9.x, 10.x,11.x may allow an attacker to execute arbitrary code via the same subnet

|

8.1 (High)

|

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2018-3629

|

Buffer overflow in event handler in Intel® Active Management Technology in Intel Converged Security Manageability Engine Firmware 3.x,4.x,5.x,6.x,7.x,8.x,9.x, 10.x,11.x may allow an attacker to cause a denial of service via the same subnet

|

7.5 (High)

|

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2018-3632

|

Memory corruption in Intel® Active Management Technology in Intel Converged Security Manageability Engine Firmware 6.x/7.x/8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 could be triggered by an attacker with local administrator permission on system

|

6.4 (Medium)

|

CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Recommendations:

Intel recommends that end users check with their system manufacturers and apply any available updates as soon as practical, based on the versions listed below, or higher:

Associated CPU Generation

|

Resolved Firmware versions or higher

—|—

4th Generation Intel® Core™ Processor Family

|

Intel® CSME 9.1.43

Intel® CSME 9.5.63

5th Generation Intel® Core™ Processor Family

|

Intel® CSME 10.0.57

6th Generation Intel® Core™ Processor Family

|

Intel® CSME 11.8.50

7th Generation Intel® Core™ Processor Family

|

Intel® CSME 11.8.50

8th Generation Intel® Core™ Processor Family

|

Intel® CSME 11.8.50

Intel® Xeon® Processor E3-1200 v5 & v6 Product Family

|

Intel® CSME 11.8.50

Intel® Xeon® Processor Scalable Family

|

Intel® CSME 11.21.51

Intel® Xeon® Processor W Family

|

Intel® CSME 11.11.50

- The Intel® CSME firmware for the following products is no longer supported. These products will not receive a firmware update: Intel® Core™ 2 Duo vPro™, Intel® Centrino™ 2 vPro™, 1st Generation Intel® Core™, 2nd Generation Intel® Core™, 3rd Generation Intel® Core™.

Acknowledgements:

The following issues were found internally by Intel, CVE-2018-3628, CVE-2018-3629 and CVE-2018-3632. Intel would like to thank Yossef Kuszer.