Potential security vulnerability in Intel® Active Management Technology (AMT), and Intel® Standard Manageability (ISM) may allow escalation of privilege.** **Intel is releasing firmware updates to mitigate this potential vulnerability.
CVEID: CVE-2020-8758
Description: Improper buffer restrictions in network subsystem in provisioned Intel® AMT and Intel® ISM versions before 11.8.79, 11.12.79, 11.22.79, 12.0.68 and 14.0.39 may allow an unauthenticated user to potentially enable escalation of privilege via network access. On un-provisioned systems, an authenticated user may potentially enable escalation of privilege via local access.
CVSS Vector (Provisioned, unauthenticated, network):
CVSS Base Score: 9.8 Critical
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Vector (Un-provisioned, authenticated, local):
CVSS Base Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Intel® AMT and Intel® ISM versions before 11.8.79, 11.12.79, 11.22.79, 12.0.68 and 14.0.39.
The following CVE assigned by Intel, corresponds to a CVE disclosed on 12/18/2020 as part of ICSA-20-353-01:
Disclosed in INTEL-SA-00404
|
Disclosed in ICSA-20-353-01
—|—
CVE-2020-8758
|
CVE-2020-25066
Note: Firmware versions of Intel® ME 3.x thru 10.x, Intel® TXE 1.x thru 2.x, and Intel® Server Platform Services 1.x thru 2.X are no longer supported versions. There is no new general release planned for these versions.
Intel recommends that users of Intel® AMT and Intel® ISM update to the latest version provided by the system manufacturer that addresses these issues.****
This issue was found internally by Intel employees. Intel would like to thank Yaakov Cohen, Yocheved Butterman and Yossef Kuszer.****
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.