Summary:

In an effort to continuously improve the robustness of the Intel® Converged Security Management Engine (Intel® CSME), Intel has performed a security review of its Intel® CSME with the objective of continuously enhancing firmware resilience.

Description:

In an effort to continuously improve the robustness of the Intel® Converged Security Management Engine (Intel® CSME), Intel has performed a security review of its Intel® CSME with the objective of continuously enhancing firmware resilience.

As a result, Intel has identified security vulnerabilities that could potentially place affected platforms at risk.

Intel® Active Management Technology 3.x/4.x/5.x/6.x/7.x/8.x/9.x/10.x/11.x used in corporate PCs (Intel® vProTM, Intel® AMT), IOT devices, workstations and servers may be affected by these issues.



Affected products:

The issues affect Intel® Active Management Technology 3.x/4.x/5.x/6.x/7.x/8.x/9.x/10.x/11.x used in corporate PCs (Intel® vProTM, Intel® AMT), IOT devices, workstations and servers. These firmware versions may be found on certain products:

• Intel® Core™ 2 Duo vPro™ and Intel® Centrino™ 2 vPro™

• 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, & 8th Generation Intel® Core™ Processor Family

• Intel® Xeon® Processor E3-1200 v5 & v6 Product Family (Greenlow)

• Intel® Xeon® Processor Scalable Family (Purley)

• Intel® Xeon® Processor W Family (Basin Falls)

CVE ID CVE Title CVSSv3 severity CVSSv3 Vectors CVE-2018-3628 Buffer overflow in HTTP handler in Intel® Active Management Technology in Intel Converged Security Manageability Engine Firmware 3.x,4.x,5.x,6.x,7.x,8.x,9.x, 10.x,11.x may allow an attacker to execute arbitrary code via the same subnet 8.1 (High) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-3629 Buffer overflow in event handler in Intel® Active Management Technology in Intel Converged Security Manageability Engine Firmware 3.x,4.x,5.x,6.x,7.x,8.x,9.x, 10.x,11.x may allow an attacker to cause a denial of service via the same subnet 7.5 (High) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-3632 Memory corruption in Intel® Active Management Technology in Intel Converged Security Manageability Engine Firmware 6.x/7.x/8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 could be triggered by an attacker with local administrator permission on system 6.4 (Medium) CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Recommendations:

Intel recommends that end users check with their system manufacturers and apply any available updates as soon as practical, based on the versions listed below, or higher:

Associated CPU Generation Resolved Firmware versions or higher 4th Generation Intel® Core™ Processor Family Intel® CSME 9.1.43 Intel® CSME 9.5.63 5th Generation Intel® Core™ Processor Family Intel® CSME 10.0.57 6th Generation Intel® Core™ Processor Family Intel® CSME 11.8.50 7th Generation Intel® Core™ Processor Family Intel® CSME 11.8.50 8th Generation Intel® Core™ Processor Family Intel® CSME 11.8.50 Intel® Xeon® Processor E3-1200 v5 & v6 Product Family Intel® CSME 11.8.50 Intel® Xeon® Processor Scalable Family Intel® CSME 11.21.51 Intel® Xeon® Processor W Family Intel® CSME 11.11.50

- The Intel® CSME firmware for the following products is no longer supported. These products will not receive a firmware update: Intel® Core™ 2 Duo vPro™, Intel® Centrino™ 2 vPro™, 1st Generation Intel® Core™, 2nd Generation Intel® Core™, 3rd Generation Intel® Core™.

Acknowledgements:

CVE-2018-3628, CVE-2018-3629 and CVE-2018-3632 were discovered by Intel as part of continuously improving the robustness of the Intel® Converged Security Management Engine (Intel® CSME).

