Intel® Converged Security Management Engine (Intel® CSME) Security Advisory: SA-00295

Documentation

Product Information & Documentation

000056594

06/11/2020

On June 8, 2020, Intel released information for security advisory Intel-SA-00295. This information was released as part of Intel's regular product update process.

The security advisory discloses that potential security vulnerabilities might allow escalation of privilege, denial of service, or information disclosure in:

  • Intel® Converged Security and Manageability Engine (Intel® CSME)
  • Intel® Server Platform Services (Intel® SPS)
  • Intel® Trusted Execution Engine (Intel® TXE)
  • Intel® Active Management Technology (Intel® AMT)
  • Intel® Standard Manageability
  • Intel® Dynamic Application Loader (Intel® DAL)

Intel is releasing firmware and software updates to mitigate these potential vulnerabilities.

Refer to the public security advisory SA-00295 for complete details on the CVEs and CVSS scores.

You can find additional information on this vulnerability in the CVE-2020-0566Technical Whitepaper.

Affected products

Intel® CSME, Intel® AMT, Intel® DAL, Intel® Standard Manageability, and Intel® DAL software:

Updated Version Replaces Version

11.8.77
11.0 through 11.8.76
11.11.77 11.10 through 11.11.76
11.22.77 11.20 through 11.22.76
12.0.64 12.0 through 12.0.63
13.0.32 or higher      13.0.0 through 13.0.31
14.0.33 or higher 14.0.0 through 14.0.32
14.5.12 or higher 14.5.11

Intel® SPS:

Updated Version Replaces Version
SPS_E5_04.00.04.380.0 SPS_E5_04.00.00.000.0 through SPS_E5_04.00.04.379.0
SPS_SoC-X_04.00.04.128.0 SPS_SoC-X_04.00.00.000.0 through SPS_SoCX_04.00.04.127.0
SPS_SoC-A_04.00.04.211.0 SPS_SoC-A_04.00.00.000.0 through SPS_SoCA_04.00.04.210.0
SPS_E3_04.01.04.109.0 SPS_E3_04.01.00.000.0 through SPS_E3_04.01.04.108.0
SPS_E3_04.08.04.070.0 SPS_E3_04.08.04.000.0 through SPS_E3_04.08.04.065.0

Intel® TXE:

Updated Version Replaces Version
3.1.75 3.0 through 3.1.70
4.0.25 4.0 through 4.0.20

 

Note

Intel® Manageability Engine (Intel® ME) 3.x through 10.x, Intel® Trusted Execution Engine (Intel® TXE) 1.x through 2.x, and Intel® Server Platform Services (Intel® SPS) 1.x through 2.X firmware versions are no longer supported. These firmware versions were not assessed for the vulnerabilities/CVEs listed in this Security Advisory. There are no new releases planned for these versions.

Recommendations

Contact your system or motherboard manufacturer to obtain a firmware or BIOS update that addresses this vulnerability. Intel cannot provide updates for systems or motherboards from other manufacturers.

 

Frequently Asked Questions

Click or the topic for details:

What are the Vulnerability Descriptions, Common Vulnerabilities and Exposures (CVE) Numbers, and Common Vulnerability Scoring System (CVSS) information for the identified vulnerabilities associated with Intel® Manageability Engine?See the Intel-SA-00295 Security Advisory for full information on the CVEs associated with this announcement.
How can I determine if I'm impacted by this vulnerability?Reboot your system and access the system BIOS. Intel® Manageability Engine (Intel® ME)/Intel® Converged Security and Manageability Engine (Intel® CSME) firmware information might be available in the BIOS information screens. If the information isn't available in the system BIOS, contact your system manufacturer for assistance.
I have a system or motherboard manufactured by Intel (Intel® NUC, Intel® Mini PC, Intel® Server, Intel® Desktop Board) that is showing as vulnerable. What do I do?Go to Intel Support and navigate to the support page for your product. You'll be able to check for BIOS or firmware updates for your system.
I built my computer from components, but I don't have a system manufacturer to contact. What do I do?Contact the manufacturer of the motherboard you purchased to build your system. They're responsible for distributing the correct BIOS or firmware update for the motherboard.

Additional information on CVE-2020-0594, CVE-2020-0595, CVE-2020-0596, CVE-2020-0597. These CVEs are vulnerabilities in Intel® AMT configured with IPv6.

For a system to be vulnerable to these CVEs, these 2 conditions must co-exist:

  • Intel AMT is enabled and in either the "Provisioned" or "In-provisioning" states.
    AND
  • Intel AMT is configured with IPv6.

For example:
- If Intel AMT is un-provisioned, the system is not exposed to these vulnerabilities.
- If Intel AMT IPv6 is not configured, the system is not exposed to these vulnerabilities.

How can I determine if my system meets these criteria?Run the MEInfo tool for your system. The MEInfo tool is available from your system manufacturer.
       Intel® AMT configured with IPv6:                                                                                                                                 Intel® AMT NOT configured with IPv6:

If you have additional questions on this issue, contact Intel Customer Support.