Intel® Converged Security Management Engine (Intel® CSME) Security Advisory: SA-00391

Documentation

Product Information & Documentation

000057840

03/17/2021

On November 10, 2020, Intel released information for security advisory INTEL-SA-00391. This information was released as part of Intel's regular product update process.

The security advisory discloses that potential security vulnerabilities in Intel® Converged Security and Manageability Engine (Intel® CSME), Intel® Server Platform Services (Intel® SPS), Intel® Trusted Execution Engine (Intel® TXE), Intel® Active Management Technology (Intel® AMT), Intel® Standard Manageability, and Intel® Dynamic Application Loader (Intel® DAL) may allow escalation of privilege, denial of service, or information disclosure.

Intel is releasing firmware and software updates to mitigate these potential vulnerabilities in:

  • Intel CSME
  • Intel SPS
  • Intel TXE
  • Intel® AMT
  • Intel® Standard Manageability

Intel is not releasing updates to mitigate these potential vulnerabilities, and Intel has issued a Product Discontinuation Notice for the Intel® DAL SDK.

Refer to the public security advisory INTEL-SA-00391 for complete details on the Common Vulnerabilities and Exposures (CVEs) and Common Vulnerability Scoring System (CVSS) scores.

Additional information is available at our Security Blog

Affected products

Intel® Converged Security and Management Engine (Intel® CSME), Intel® Active Management Technology (Intel® AMT), Intel® Standard Manageability:

Updated version Replaces version Component
11.8.82 11.0 through 11.8.80 Intel® Converged Security and Management Engine (Intel® CSME), Intel® AMT, Intel® Standard Manageability
11.11.82 11.10 through 11.11.80 Intel® CSME, Intel® AMT, Intel® Standard Manageability
11.22.82 11.20 through 11.22.80 Intel® CSME, Intel® AMT, Intel® Standard Manageability
12.0.70 12.0 through 12.0.69 Intel® CSME, Intel® AMT, Intel® Standard Manageability
14.0.45 14.0.0 through 14.0.44 Intel® CSME, Intel® AMT, Intel® Standard Manageability
14.5.25 14.5.0 through 14.5.24 Intel® CSME, Intel® AMT, Intel® Standard Manageability
     
SPS_E5_04.04.04.400 All previous SPS_E5_04 versions Intel® Server Platform Services (Intel® SPS)
SPS_SoC-X_04.00.04.200 All previous SPS_SoC-X_04 versions Intel® SPS
SPS_SoC-A_04.00.04.300 All previous SPS_SoC-A_04 versions Intel® SPS
SPS_E3_04.01.04.200 All previous SPS_E3_04 versions Intel® SPS
SPS_E3_05.04.200 All previous SPS_E3_05 versions Intel® SPS
     
3.1.80 3.1.0 through 3.1.79 Intel® Trusted Execution Engine (Intel® TXE)
4.0.30 4.0.0 through 4.0.29 Intel® TXE

 

Note

Intel® Manageability Engine (Intel® ME) 3.x through 10.x firmware versions are no longer supported. There are no new releases planned for these versions.

Additional information on CVE-2020-8705 with systems running Intel® Converged Security and Management Engine (Intel® CSME) version 11.8.x. 11.12.x, or 11.22.x

CVE-2020-8705 only applies to systems with Intel® Boot Guard enabled by the system manufacturer.

If your system has Intel Boot Guard enabled, the Intel CSME version 11.8.82.0, 11.12.82.0, or 11.22.82.0 (or later) is required for mitigation.

If your system does not have Intel Boot Guard enabled, Intel CSME version 11.8.80, 11.12.80, or 11.22.80 (or later) is sufficient to mitigate the other vulnerabilities in SA-00391.

Check with your system manufacturer to verify if Intel Boot Guard is enabled on your system.

Use the Intel® Converged Security and Management Engine Version Detection Tool (Intel® CSMEVDT) to determine the CSME version installed on your system.

Recommendations

Contact your system or motherboard manufacturer to obtain a firmware or BIOS update that addresses this vulnerability. Intel cannot provide updates for systems or motherboards from other manufacturers.

Frequently Asked Questions

Click or the topic for details:

How do I mitigate these vulnerabilities? Contact your system or motherboard manufacturer to obtain a firmware or BIOS update that addresses these vulnerabilities. Intel cannot provide updates for systems or motherboards from other manufacturers.
What are the Vulnerability Descriptions, Common Vulnerabilities and Exposures (CVE) Numbers, and Common Vulnerability Scoring System (CVSS) information for the identified vulnerabilities associated with Intel® AMT and ISM? See the public security advisory INTEL-SA-00391 for full information on the CVEs associated with this announcement.
How can I determine if I'm impacted by this vulnerability?The Intel CSME Detection Tool can be run on any platform to assess if the platform is running the latest firmware version. To use the tool
I have a system or motherboard manufactured by Intel (Intel® NUC, Intel® Mini PC) that is showing as vulnerable. What do I do?Go to Intel Support and navigate to the support page for your product. You will be able to check for BIOS or firmware updates for your system.
I built my computer from components, so I don't have a system manufacturer to contact. What do I do?Contact the manufacturer of the motherboard you purchased to build your system. They are responsible for distributing the correct BIOS or firmware update for the motherboard.

If you have additional questions on this issue, contact Intel Customer Support.