Lenovo Security Advisory: LEN-14963
Potential Impact: Remote or local exploitation of manageability features leading to unprivileged system access
Scope of Impact: Industry-Wide
CVE Identifier: CVE-2017-5689
Intel manageability SKUs (AMT, ISM, and SBT) have a privilege escalation issue that makes platforms vulnerable to unprivileged system access. Intel manageability is supported on some Lenovo ThinkPads, ThinkCentres, ThinkStations, and ThinkServers.
The problem has been isolated to a design issue in the Intel manageability SKU firmware. This results in a vulnerability that allows an unprivileged network or local attacker to gain system privileges on Lenovo systems that support Intel manageability (AMT, ISM, and SBT).
Intel® AMT, ISM and SBT use integrated platform capabilities to allow IT or managed service providers to remotely manage networked computing assets.
Mitigation Strategy for Customers (what you should do to protect yourself):
Lenovo is urgently working on qualifying and applying the fixes provided by Intel on supported systems. Please continue to refer to this advisory to identify fixes as they are posted for your systems.
Options for mitigation until the firmware update is available are:
Note that capabilities and features provided by AMT, ISM, and SBT will be made unavailable when these mitigations are implemented.
The instructions to implement the mitigation steps are posted at Intel’s website here: <https://downloadcenter.intel.com/download/26754>
NOTE: Intel has posted a Firmware Deployment Procedure gude here: <http://www.intel.com/content/www/us/en/support/technologies/intel-active-management-technology-intel-amt/000024236.html>
Please refer to this guide if you are using AMT, ISM or SBT before running the updates. The guide will tell you to first unprovision the systems, update the firmware and then re-provision the systems. If you are not using these technologies, no special steps need to be followed before running the updates.
The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x, 9.x, 10.x, 11.0, 11.5, and 11.6.
Lenovo systems using Intel manageability firmware prior to version 6.0 and newer than 11.6 do not contain the identified vulnerability.
Intel has released a Detection Guide to assess if your system has the impacted firmware: <https://downloadcenter.intel.com/download/26755>. Intel® AMT, Intel® SBA, or Intel® ISM firmware versions that resolve the issue have a four digit build number that starts with a “3” (X.X.XX.3XXX) Ex: 126.96.36.19908.