Intel ME 6.x/7.x/8.x/9.x/10.x./11.x, SPS 4.0, and TXE 3.0 Cumulative Security Update - US

Lenovo Security Advisory: LEN-17297

**Potential Impact:**An attacker could load and execute arbitrary code outside the visibility of the user, operating system, and hypervisor/virtualization platform; resulting in exfiltration of secrets, subtle manipulation of system operation, or denial of service.

Severity: High

Scope of Impact: Industry-wide

**CVE Identifier:**CVE-2017-5705, CVE-2017-5706, CVE-2017-5707, CVE-2017-5708, CVE-2017-5709, CVE-2017-5710, CVE-2017-5711, CVE-2017-5712

Summary Description:

Intel chipsets use a separate embedded processor and execution environment to provide various systems management and security functions. In response to a vulnerability recently found by external researchers, Intel performed an in-depth security review of three major components of this environment: Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE). Eight vulnerabilities were found in these firmware versions:

ME: 11.0.x.x, 11.5.x.x, 11.6.x.x, 11.7.x.x, 11.10.x.x, 11.20.x.x

Update 12/14/2017: 8.x, 9.x, 10.x are affected by CVE-2017-5711, CVE-2017-5712

Update 12/21/2017: 6.x/7.x are also affected by CVE-2017-5711, CVE-2017-5712

SPS: 4.0.x.x

TXE: 3.0.x.x

(Refer to Intel’s Security Advisory for affected Intel® Core™ and Intel® Processor families)

To remediate these vulnerabilities, apply appropriate the BIOS/UEFI update or ME/SPS/TXE firmware update listed in the product impact section. For some products, the Intel ME Driver may also need to be updated.

If desired, these component firmware versions can be confirmed in the BIOS/UEFI setup utility (press the “F1” key at system power-on). Note that any given system will likely have only one of the components present. ME is generally found on client systems and low-end servers without a dedicated systems management controller. SPS is found on servers with dedicated controllers, and TXE is found primarily on tablets and other low-power devices.

Mitigation Strategy for Customers (what you should do to protect yourself):

Refer to the Product Impact section below and update to the appropriate BIOS/UEFI or ME/SPS/TXE firmware and, where applicable, ME driver version for your model.

Because required software may be Operating System specific or there may be more than one package to update, some links provided below may point to the product’s software download page. Under Operating System, you should confirm the selection is correct. Then select Chipset under the Components section.

Product Impact: