-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2991
                   Vulnerabilities in Intel CPU firmware
                             23 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Intel Management Engine (ME)
                   Intel Server Platform Services (SPS
                   Intel Trusted Execution Engine (TXE)
Publisher:         Intel
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Increased Privileges            -- Existing Account
                   Access Privileged Data          -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-5712 CVE-2017-5711 CVE-2017-5710
                   CVE-2017-5709 CVE-2017-5708 CVE-2017-5707
                   CVE-2017-5706 CVE-2017-5705 

Original Bulletin: 
   https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086
   https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Intel Q3'17 ME 11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update

Intel ID:                 INTEL-SA-00086
Product family:           Various
Impact of vulnerability:  Elevation of Privilege
Severity rating:          Important
Original release:         Nov 20, 2017
Last revised:             Nov 22, 2017

Summary: 

In response to issues identified by external researchers, Intel has performed
an in-depth comprehensive security review of our Intel Management Engine (ME),
Intel Server Platform Services (SPS), and Intel Trusted Execution Engine
(TXE) with the objective of enhancing firmware resilience.

As a result, Intel has identified security vulnerabilities that could
potentially place impacted platforms at risk.

Description: 

In response to issues identified by external researchers, Intel has performed
an in-depth comprehensive security review of its Intel Management Engine (ME),
Intel Trusted Execution Engine (TXE), and Intel Server Platform Services
(SPS) with the objective of enhancing firmware resilience.

As a result, Intel has identified several security vulnerabilities that could
potentially place impacted platforms at risk. Systems using ME Firmware
versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE
version 3.0 are impacted.

 

Affected products: 

 

  * 6th, 7th & 8th Generation Intel Core Processor Family
  * Intel Xeon Processor E3-1200 v5 & v6 Product Family
  * Intel Xeon Processor Scalable Family
  * Intel Xeon Processor W Family
  * Intel Atom C3000 Processor Family
  * Apollo Lake Intel Atom Processor E3900 series
  * Apollo Lake Intel Pentium
  * Celeron N and J series Processors

Based on the items identified through the comprehensive security review, an
attacker could gain unauthorized access to platform, Intel ME feature, and 3rd
party secrets protected by the Intel Management Engine (ME), Intel Server
Platform Service (SPS), or Intel Trusted Execution Engine (TXE).

This includes scenarios where a successful attacker could:

  * Impersonate the ME/SPS/TXE, thereby impacting local security feature
    attestation validity.
  * Load and execute arbitrary code outside the visibility of the user and
    operating system.
  * Cause a system crash or system instability.
  * For more information, please see this Intel Support article

If the INTEL-SA-00086 Detection Tool reported your system being vulnerable,
please check with your system manufacturer for updated firmware.  Links to
system manufacturer pages concerning this issue can be found at http://
www.intel.com/sa-00086-support.

If you need further assistance, contact Customer Support to submit an online
service request.

Recommendations: 

The following CVE IDs are covered in this security advisory:

 Intel Manageability Engine Firmware 11.0.x.x/11.5.x.x/11.6.x.x/11.7.x.x/
11.10.x.x/11.20.x.x

+---------------------------------------------------------------------------------------------+
|   CVE ID    |                    CVE Title                    |       CVSSv3 Vectors        |
|-------------+-------------------------------------------------+-----------------------------|
|CVE-2017-5705|Multiple buffer overflows in kernel in Intel     |8.2 High                     |
|             |Manageability Engine Firmware 11.0/11.5/11.6/11.7|                             |
|             |/11.10/11.20 allow attacker with local access to |AV:L/AC:L/PR:H/UI:N/S:C/C:H/ |
|             |the system to execute arbitrary code.            |I:H/A:H                      |
|-------------+-------------------------------------------------+-----------------------------|
|CVE-2017-5708|Multiple privilege escalations in kernel in Intel|7.5 High                     |
|             |Manageability Engine Firmware 11.0/11.5/11.6/11.7|                             |
|             |/11.10/11.20 allow unauthorized process to access|                             |
|             |privileged content via unspecified vector.       |                             |
|             |                                                 |AV:L/AC:H/PR:L/UI:N/S:C/C:H/ |
|             |                                                 |I:H/A:N                      |
|-------------+-------------------------------------------------+-----------------------------|
|CVE-2017-5711|Multiple buffer overflows in Active Management   |6.7 Moderate                 |
|             |Technology (AMT) in Intel Manageability Engine   |                             |
|             |Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/ |AV:L/AC:L/PR:H/UI:N/S:U/C:H/ |
|             |11.20 allow attacker with local access to the    |I:H/A:H                      |
|             |system to execute arbitrary code with AMT        |                             |
|             |execution privilege.                             |                             |
|-------------+-------------------------------------------------+-----------------------------|
|CVE-2017-5712|Buffer overflow in Active Management Technology  |7.2 High                     |
|             |(AMT) in Intel Manageability Engine Firmware 8.x/|                             |
|             |9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allows  |AV:N/AC:L/PR:H/UI:N/S:U/C:H/ |
|             |attacker with remote Admin access to the system  |I:H/A:H                      |
|             |to execute arbitrary code with AMT execution     |                             |
|             |privilege.                                       |                             |
+---------------------------------------------------------------------------------------------+

 

Intel Manageability Engine Firmware 8.x/9.x/10.x*

+----------------------------------------------------------------------------------------------+
|    CVE ID    |                    CVE Title                    |       CVSSv3 Vectors        |
|--------------+-------------------------------------------------+-----------------------------|
|CVE-2017-5711*|Multiple buffer overflows in Active Management   |6.7 Moderate                 |
|              |Technology (AMT) in Intel Manageability Engine   |                             |
|              |Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/ |AV:L/AC:L/PR:H/UI:N/S:U/C:H/ |
|              |11.20 allow attacker with local access to the    |I:H/A:H                      |
|              |system to execute arbitrary code with AMT        |                             |
|              |execution privilege.                             |                             |
|--------------+-------------------------------------------------+-----------------------------|
|CVE-2017-5712*|Buffer overflow in Active Management Technology  |7.2 High                     |
|              |(AMT) in Intel Manageability Engine Firmware 8.x/|                             |
|              |9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allows  |AV:N/AC:L/PR:H/UI:N/S:U/C:H/ |
|              |attacker with remote Admin access to the system  |I:H/A:H                      |
|              |to execute arbitrary code with AMT execution     |                             |
|              |privilege.                                       |                             |
+----------------------------------------------------------------------------------------------+

*The twoCVE IDs above were also resolved in earlier generations of corporate
versions of Intel ME, where Intel Active Management Technology shares the same
code base.

Server Platform Service 4.0.x.x

+--------------------------------------------------------------------------------------------+
|   CVE ID    |                 CVE Title                  |         CVSSv3 Vectors          |
|-------------+--------------------------------------------+---------------------------------|
|CVE-2017-5706|Multiple buffer overflows in kernel in Intel|CVSS 8.2 High                    |
|             |Server Platform Services Firmware 4.0 allow |                                 |
|             |attacker with local access to the system to |AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/ |
|             |execute arbitrary code.                     |A:H                              |
|-------------+--------------------------------------------+---------------------------------|
|CVE-2017-5709|Multiple privilege escalations in kernel in |CVSS 7.5 High                    |
|             |Intel Server Platform Services Firmware 4.0 |                                 |
|             |allows unauthorized process to access       |AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/ |
|             |privileged content via unspecified vector.  |A:N                              |
+--------------------------------------------------------------------------------------------+

 IntelTrusted Execution Engine 3.0.x.x

+--------------------------------------------------------------------------------------------+
|   CVE ID    |                 CVE Title                  |         CVSSv3 Vectors          |
|-------------+--------------------------------------------+---------------------------------|
|CVE-2017-5707|Multiple buffer overflows in kernel in Intel|CVSS 8.2 High                    |
|             |Trusted Execution Engine Firmware 3.0 allow |                                 |
|             |attacker with local access to the system to |AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/ |
|             |execute arbitrary code.                     |A:H                              |
|-------------+--------------------------------------------+---------------------------------|
|CVE-2017-5710|Multiple privilege escalations in kernel in |CVSS 7.5 High                    |
|             |Intel Trusted Execution Engine Firmware 3.0 |                                 |
|             |allows unauthorized process to access       |AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/ |
|             |privileged content via unspecified vector.  |A:N                              |
+--------------------------------------------------------------------------------------------+

Intel has released a downloadable detection tool located at http://
www.intel.com/sa-00086-support , which will analyze your system for the
vulnerabilities identified in this security advisory.

Intel highly recommends that all customers install the updated firmware and
Intel Capability License Service on impacted platforms.

+-------------------------------------------------------------------------------+
|       Associated CPU Generation       |       Resolved Firmware version       |
|---------------------------------------+---------------------------------------|
|6th Generation Intel  Core  Processor  |Recommended: Intel  ME 11.8.50.3425 or |
|Family                                 |higher                                 |
|                                       |                                       |
|                                       |Minimum: Intel  ME 11.8.50.3399        |
|                                       |                                       |
|6^th Gen X-Series Intel  Core^TM       |Recommended: Intel  ME 11.11.50.1422 or|
|Processor                              |higher                                 |
|                                       |                                       |
|                                       |Minimum: Intel  ME 11.11.50.1402       |
|---------------------------------------+---------------------------------------|
|7th Generation Intel  Core  Processor  |Recommended: Intel  ME 11.8.50.3425 or |
|Family                                 |higher                                 |
|                                       |                                       |
|                                       |Minimum: Intel  ME 11.8.50.3399        |
|                                       |                                       |
|7^th Gen X-Series Intel  Core^TM       |Recommended: Intel  ME 11.11.50.1422 or|
|Processor                              |higher                                 |
|                                       |                                       |
|                                       |Minimum: Intel  ME 11.11.50.1402       |
|---------------------------------------+---------------------------------------|
|8th Generation Intel  Core  Processor  |Recommended: Intel  ME 11.8.50.3425 or |
|Family                                 |higher                                 |
|                                       |                                       |
|                                       |Minimum: Intel  ME 11.8.50.3399        |
|---------------------------------------+---------------------------------------|
|Intel  Xeon  Processor E3-1200 v5      |Recommended: Intel  ME 11.8.50.3425 or |
|Product Family                         |higher                                 |
|                                       |                                       |
|                                       |Minimum: Intel  ME 11.8.50.3399        |
|                                       |                                       |
|                                       |Intel  SPS 4.1.4.054                   |
|---------------------------------------+---------------------------------------|
|Intel  Xeon  Processor E3-1200 v6      |Recommended: Intel  ME 11.8.50.3425 or |
|Product Family                         |higher                                 |
|                                       |                                       |
|                                       |Minimum: Intel  ME 11.8.50.3399        |
|                                       |                                       |
|                                       |Intel  SPS 4.1.4.054                   |
|---------------------------------------+---------------------------------------|
|Intel  Xeon  Processor Scalable Family |Intel SPS 4.0.04.288                   |
|                                       |                                       |
|                                       |Recommended: Intel  ME 11.21.50.1424 or|
|                                       |higher                                 |
|                                       |                                       |
|                                       |Minimum: Intel  ME 11.21.50.1400       |
|---------------------------------------+---------------------------------------|
|Intel  Xeon  Processor W Family        |Recommended: Intel  ME 11.11.50.1422 or|
|                                       |higher                                 |
|                                       |                                       |
|                                       |Minimum: Intel  ME 11.11.50.1402       |
|---------------------------------------+---------------------------------------|
|Intel  Atom  C3000 Processor Family    | Intel  SPS 4.0.04.139                 |
|                                       |                                       |
|                                       |                                       |
|---------------------------------------+---------------------------------------|
|Apollo Lake Intel  Atom Processor E3900|Intel  TXE Firmware 3.1.50.2222        |
|series                                 |Production version release             |
|---------------------------------------+---------------------------------------|
|Apollo Lake Intel  Pentium             |Intel  TXE Firmware 3.1.50.2222        |
|                                       |Production version release             |
|---------------------------------------+---------------------------------------|
|Celeron  N series Processors           |Intel  TXE Firmware 3.1.50.2222        |
|                                       |Production version release             |
|---------------------------------------+---------------------------------------|
|Celeron  J series Processors           |Intel  TXE Firmware 3.1.50.2222        |
|                                       |Production version release             |
+-------------------------------------------------------------------------------+

Acknowledgements: 

External Security Researchers and Intel Validation.

Intel would like to thank Mark Ermolov and Maxim Goryachy from Positive
Technologies Research for working collaboratively with Intel on a coordinated
disclosure and providing the initial finding for CVE-2017-5705, CVE-2017-5706
and CVE-2017-5707.

Related Information: 

http://www.intel.com/sa-00086-support

Revision history: 

Revision Date              Description
1.0      20-November-2017  Initial Release
1.1      21-November-2017  Updated Recommended and minimum versions 
1.2      22-November-2017  Updated links to online support page


Disclaimer:


INFORMATION IN THIS DOCUMENT IS PROVIDED "AS IS" IN CONNECTION WITH INTEL
PRODUCTS. YOUR USE OF THE INFORMATION IN THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. INTEL RESERVES THE RIGHT TO CHANGE OR UPDATE
THIS DOCUMENT AT ANY TIME. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS
OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL
DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL
PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR
PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER
INTELLECTUAL PROPERTY RIGHT. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR
OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWhYPtYx+lLeg9Ub1AQhMUA/9FuDmCUBOVCINvZ/7+7vheAXIhJyKAk05
DVcE8JG7oqxp5eKvR1mfu08H98COaCktAvDvkwpyA/H6IwtqMoAGWKDm5gqVrnzQ
tKeqnO9s9sNI6lKt8FWaG7tPbNhy7lSwckRYM6Z+PnqSudV0tEcHgMr4WKJlwU72
+DLLIRceOsztG9JvBq5sWDGP68AjrWh9StMJPKTGdUY7OhPTfFUBKBAkzxcocDCw
Mn9zh6aRIGyHcYX+Y3mA4kx/PSRLGAaLg7k3yAKjmVNSNEMnmn/J+rmWFiPMK8Ug
4YKd/j0zc8e6ybS5ZQoVMbcGg0t8r+ci9BshEz86oNj52EG/CGH0XDlYYMhTRp+V
5+digw2QTRL/4PRNPTWzOB7cB0wG9Q3aRv+rQzU22/Vf0XFOb9HRz2QjeCANiRKw
98Q5AJ4LNzczOOvBQ1LBAUCeHN/407KAisc25EAyj+nVzgsMJAkvkP63u1FsqcO6
IdJggvPAJE9PxIj6DDVjUdCOohXQY+e9aQXUxP2X5ADY/OM38jFA5fxcbIFMNbV5
sAcF/xoNV9lp834qyoh6paMEqynGkE1uMDW53gEcSfh8KUNdB3TuoaihmA7dJTy0
/zup63uTQq2pu4J7uWWkvlYNR+JB1ONuazo3qO00+Ell0t3A339VUORPcTNBal2N
INTIp7/8gnE=
=lm06
-----END PGP SIGNATURE-----