Several vulnerabilities were discovered in Intel Management Engine (ME), Intel Server Platform Services (SPS), and Intel Trusted Execution Engine (TXE). The vulnerabilities were discovered as a result of an in-house security review of the products in question and input from external researchers. The vulnerabilities are mostly buffer overflows leading to arbitrary code execution and privilege escalation. ME Firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are vulnerable to exploitation. The products listed below are affected.
- 6th, 7th & 8th Generation Intel Core Processor Family
- Intel Xeon Processor E3-1200 v5 & v6 Product Family
- Intel Xeon Processor Scalable Family
- Intel Xeon Processor W Family
- Intel Atom C3000 Processor Family
- Apollo Lake Intel Atom Processor E3900 series
- Apollo Lake Intel Pentium
- Celeron N and J series Processors
Vulnerabilities
Product | CVE(s) | Description |
Intel Manageability Engine Firmware | CVE-2017-5705 | Multiple buffer overflows in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code |
CVE-2017-5708 | Multiple privilege escalations in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow unauthorized process to access privileged content via unspecified vector | |
CVE-2017-5711 | Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege. | |
CVE-2017-5712 | Buffer overflow in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allows attacker with remote Admin access to the system to execute arbitrary code with AMT execution privilege. | |
Intel Manageability Engine Firmware 8.x/9.x/10.x | CVE-2017-5711 | Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege. |
CVE-2017-5712 | Buffer overflow in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allows attacker with remote Admin access to the system to execute arbitrary code with AMT execution privilege. | |
Server Platform Service 4.0.x.x | CVE-2017-5706 | Multiple buffer overflows in kernel in Intel Server Platform Services Firmware 4.0 allow attacker with local access to the system to execute arbitrary code. |
CVE-2017-5709 | Multiple privilege escalations in kernel in Intel Server Platform Services Firmware 4.0 allows unauthorized process to access privileged content via unspecified vector. | |
IntelTrusted Execution Engine 3.0.x.x | CVE-2017-5707 | Multiple buffer overflows in kernel in Intel Trusted Execution Engine Firmware 3.0 allow attacker with local access to the system to execute arbitrary code |
CVE-2017-5710 | Multiple privilege escalations in kernel in Intel Trusted Execution Engine Firmware 3.0 allows unauthorized process to access privileged content via unspecified vector. |
Exploitation
Upon successful exploitation an attackers can impersonate ME/SPS/TXE and reconfigure security features. The code execution occurs outside the scope of the user and operating system. Modifying the security configuration may lead system crash or unstable system state.
Mitigation
Intel has addressed this issue in Intel SA-00086. We request organizations to update the firmware to the latest versions as directed by the advisory. A detection tool is also available for local system risk assessment.
Qualys Detection
Currently we have added potential check for the following CVE(s)
CVE(s) | QID | Description |
CVE-2017-5711 | 38693 | Intel Active Management Technology Multiple Remote Code Execution Vulnerabilities |
CVE-2017-5712 | ||
CVE-2017-5705 | 38694 | Intel Management Engine Multiple Privilege Escalation And Buffer Overflow Vulnerabilities |
CVE-2017-5708 |
The QID performs a banner based check on TCP ports 16992,16993,16994,16995 to verify vulnerable versions of Intel Manageability Engine Firmware. We are working on adding signatures for confirmed checks.
Please continue to follow Qualys Threat Feed for information on these vulnerabilities.
References
Intel Q3’17 ME 11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update
Intel® Management Engine Critical Firmware Update (Intel SA-00086)