Intel Firmware Remote Code Execution Vulnerabilities

Several vulnerabilities were discovered in Intel Management Engine (ME), Intel Server Platform Services (SPS), and Intel Trusted Execution Engine (TXE). The vulnerabilities were discovered as a result of an in-house security review of the products in question and input from external researchers. The vulnerabilities are mostly buffer overflows leading to arbitrary code execution and privilege escalation. ME Firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are vulnerable to exploitation. The products listed below are affected.

  • 6th, 7th & 8th Generation Intel Core Processor Family
  • Intel Xeon Processor E3-1200 v5 & v6 Product Family
  • Intel Xeon Processor Scalable Family
  • Intel Xeon Processor W Family
  • Intel Atom C3000 Processor Family
  • Apollo Lake Intel Atom Processor E3900 series
  • Apollo Lake Intel Pentium
  • Celeron N and J series Processors

Vulnerabilities

Product CVE(s) Description
Intel Manageability Engine Firmware CVE-2017-5705 Multiple buffer overflows in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code
CVE-2017-5708 Multiple privilege escalations in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow unauthorized process to access privileged content via unspecified vector
CVE-2017-5711 Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.
CVE-2017-5712 Buffer overflow in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allows attacker with remote Admin access to the system to execute arbitrary code with AMT execution privilege.
Intel Manageability Engine Firmware 8.x/9.x/10.x CVE-2017-5711 Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.
CVE-2017-5712 Buffer overflow in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allows attacker with remote Admin access to the system to execute arbitrary code with AMT execution privilege.
Server Platform Service 4.0.x.x CVE-2017-5706 Multiple buffer overflows in kernel in Intel Server Platform Services Firmware 4.0 allow attacker with local access to the system to execute arbitrary code.
CVE-2017-5709 Multiple privilege escalations in kernel in Intel Server Platform Services Firmware 4.0 allows unauthorized process to access privileged content via unspecified vector.
IntelTrusted Execution Engine 3.0.x.x CVE-2017-5707 Multiple buffer overflows in kernel in Intel Trusted Execution Engine Firmware 3.0 allow attacker with local access to the system to execute arbitrary code
CVE-2017-5710 Multiple privilege escalations in kernel in Intel Trusted Execution Engine Firmware 3.0 allows unauthorized process to access privileged content via unspecified vector.

Exploitation
Upon successful exploitation an attackers can impersonate ME/SPS/TXE and reconfigure security features. The code execution occurs outside the scope of the user and operating system. Modifying the security configuration may lead system crash or unstable system state.

Mitigation
Intel has addressed this issue in Intel SA-00086. We request organizations to update the firmware to the latest versions as directed by the advisory. A detection tool is also available for local system risk assessment.

Vulnerable machine detection

Qualys Detection
Currently we have added potential check for the following CVE(s)

CVE(s) QID Description
CVE-2017-5711 38693 Intel Active Management Technology Multiple Remote Code Execution Vulnerabilities
CVE-2017-5712
CVE-2017-5705 38694 Intel Management Engine Multiple Privilege Escalation And Buffer Overflow Vulnerabilities
CVE-2017-5708

The QID performs a banner based check on TCP ports 16992,16993,16994,16995 to verify vulnerable versions of Intel Manageability Engine Firmware. We are working on adding signatures for confirmed checks.

Please continue to follow Qualys Threat Feed for information on these vulnerabilities.

References
Intel Q3’17 ME 11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update
Intel® Management Engine Critical Firmware Update (Intel SA-00086)

Leave a Reply

Your email address will not be published. Required fields are marked *