Full Report
Serious vulnerabilities have been found in Intel processors. These flaws also affect industrial equipment. Intel has released the relevant updates and equipment vendors now need to integrate them into their products.
Analysis Summary
Based on the incident report involving Intel Manageability Engines (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE), here is the summary of the vulnerabilities.
# Vulnerability: Intel ME, SPS, and TXE Security Flaws (Intel-SA-00086)
## CVE Details
- **CVE ID:** CVE-2017-5705, CVE-2017-5706, CVE-2017-5707, CVE-2017-5708, CVE-2017-5709, CVE-2017-5710, CVE-2017-5711, CVE-2017-5712
- **CVSS Score:** 6.7 - 8.2 (High)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
## Affected Systems
- **Products:**
- 6th, 7th & 8th Generation Intel Core Processor Family
- Intel Xeon Processor E3-1200 v5 & v6 Product Family
- Intel Xeon Processor Scalable Family
- Intel Xeon Processor W Family
- Intel Atom C3000 Processor Family
- Apollo Lake Intel Atom Processor E3900 series
- Apollo Lake Intel Pentium
- Celeron N and J series Processors
- **Versions:**
- Intel ME versions 11.0/11.5/11.6/11.7/11.10/11.20
- Intel SPS version 4.0
- Intel TXE version 3.0
- **Configurations:** Systems utilizing Intel Active Management Technology (AMT) or Intel standard manageability features.
## Vulnerability Description
Multiple buffer overflow vulnerabilities exist in the Intel Manageability Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE). Specifically, flaws in the kernels of these subsystems allow an attacker to execute arbitrary code outside the visibility of the user and operating system. Because these components run at "Ring -3" (a level with more privilege than the OS kernel or Hypervisor), the flaw allows for persistent, undetectable persistence on the target hardware.
## Exploitation
- **Status:** PoC available (researcher-level exploit demonstrations)
- **Complexity:** Medium to High
- **Attack Vector:** Local access is required for most; however, if Intel AMT is provisioned, some vulnerabilities may be accessible via Network.
## Impact
- **Confidentiality:** High (Access to all system memory and data)
- **Integrity:** High (Ability to modify the OS or firmware)
- **Availability:** High (Ability to crash or brick the system)
## Remediation
### Patches
- **Intel Firmware Updates:** Intel has released updated firmware versions to OEMs. Users must check their specific computer manufacturer (Dell, HP, Lenovo, etc.) for BIOS/Firmware updates.
- **Required Versions:** ME 11.8.50, SPS 4.0.04, and TXE 3.1.50 or higher.
### Workarounds
- **Disable AMT:** If the system supports it, disable Intel Active Management Technology in the BIOS settings.
- **Unprovisioning:** Unprovision Intel AMT to reduce the network attack surface.
## Detection
- **Detection Tools:** Intel has released the "Intel-SA-00086 Detection Tool" (available for Windows and Linux) to assist systems administrators in checking for vulnerability status.
- **Indicators of Compromise:** Extremely difficult to detect via standard OS-level logging due to the execution occurring in the Management Engine.
## References
- Intel Security Advisory: hxxps[://]www[.]intel[.]com/content/www/us/en/security-center/advisory/intel-sa-00086[.]html
- Kaspersky ICS CERT Report: hxxps[://]ics-cert[.]kaspersky[.]com/publications/blog/2017/11/24/intel-releases-updates-to-close-me-sps-and-txe-vulnerabilities/
- CVE Details: hxxps[://]cve[.]mitre[.]org/cgi-bin/cvename[.]cgi?name=CVE-2017-5705