The latest security information on Intel® products.

Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege

Intel ID INTEL-SA-00075
Product family Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability
Impact of vulnerability Elevation of Privilege
Severity rating Critical
Original release May 01, 2017
Last revised Dec 01, 2017

Summary:

There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products.  This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel® Server Platform Services (Intel® SPS), or Intel® Xeon® Processor E3 and Intel® Xeon® Processor E5 workstations utilizing Intel® SPS firmware.

For general guidance on this issue please see - http://www.intel.com/content/www/us/en/architecture-and-technology/intel-amt-vulnerability-announcement.html 

As Intel becomes aware of computer maker schedules for updated firmware this list will be updated:

Description:

There are two ways this vulnerability may be accessed please note that Intel® Small Business Technology is not vulnerable to the first issue.

  • An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
    • CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).
    • CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products: 

The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability.  Versions before 6 or after 11.6 are not impacted.

Recommendations:

Intel has released a downloadable discovery tool located at downloadcenter.intel.com, which will analyze your system for the vulnerability. IT professionals who are familiar with the configuration of their systems and networks can use this tool or can find more details below.

Step 1: Determine if you have an Intel® AMT, Intel® SBA, or Intel® ISM capable system.  If you determine that you do not have an Intel® AMT, Intel® SBA, or Intel® ISM capable system then no further action is required.

Step 2: Utilize the INTEL-SA-00075 Detection Guide to assess if your system has the impacted firmware. If you do have a version in the “Resolved Firmware” column no further action is required to secure your system from this vulnerability.

Step 3: Intel highly recommends checking with your system OEM for updated firmware.  Firmware versions that resolve the issue have a four digit build number that starts with a “3” (X.X.XX.3XXX) Ex: 8.1.71.3608.

Step 4: If a firmware update is not available from your OEM, mitigations are provided the INTEL-SA-00075 Mitigation Guide.

For assistance in implementing the mitigations steps provided in this document, please contact Intel Customer Support; from the Technologies section, select Intel® Active Management Technology (Intel® AMT).

 

Intel manageability
firmware

 

 

Associated 
CPU Generation

 

 

Resolved
Firmware

 

 

X.X.XX.3XXX

 

 

6.0.xx.xxxx

 

 

1st Gen Core

 

 

6.2.61.3535

 

 

6.1.xx.xxxx

 

 

6.2.61.3535

 

 

6.2.xx.xxxx

 

 

6.2.61.3535

 

 

7.0.xx.xxxx

 

 

2nd Gen Core

 

 

7.1.91.3272

 

 

7.1.xx.xxxx

 

 

7.1.91.3272

 

 

8.0.xx.xxxx

 

 

3rd Gen Core

 

 

8.1.71.3608

 

 

8.1.xx.xxxx

 

 

8.1.71.3608

 

 

9.0.xx.xxxx

 

 

4th Gen Core

 

 

 

 

 

9.1.41.3024

 

 

9.1.xx.xxxx

 

 

9.1.41.3024

 

 

9.5.xx.xxxx

 

 

9.5.61.3012

 

 

10.0.xx.xxxx

 

 

5th Gen Core

 

 

10.0.55.3000

 

 

11.0.xx.xxxx

 

 

6th Gen Core

 

 

11.0.25.3001

 

 

11.0.22.3001

 

 

11.0.18.3003

 

 

11.5.xx.xxxx

 

 

7th Gen Core

 

 

11.6.27.3264

 

 

11.6.xx.xxxx

 

 

11.6.27.3264

 

 

11.6.12.3202

11.6.10.3197

 

Acknowledgements: 

Intel would like to thank Maksim Malyutin from Embedi for reporting this issue and working with us on coordinated disclosure.

Revision history:

Revision

Date

Description

1.0

01-May-2017

Initial Release

1.1

01-May-2017

Detection update

1.2

02-May-2017

Typos

1.3

03-May-2017

Link updates

1.4

07-May-2017

Link Updates

1.5

08-May-2017

Link Updates

1.6

11-May-2017

Added links

1.7

12-May-2017

Added Link

1.8

15-May-2017

Linux Tools Added

1.9

19-May-2017

Added Link

2.0

06-Jun-2017

Added Link

2.1 

01-Dec-2017 

Added version 11.6.10.3197 to resolved firmware

CVE Name:  CVE-2017-5689

Legal Notices and Disclaimers

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

*Other names and brands may be claimed as the property of others.
Copyright © Intel Corporation 2018

Report a Vulnerability

If you have information about a security issue or vulnerability with an Intel branded product or technology, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

  • The products and versions affected
  • Detailed description of the vulnerability
  • Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

For issues related to Intel managed open source projects, please visit http://www.01.org/security

Need product support?

The secure@intel.com e-mail address should only be used for reporting security issues.

If you...

  • Have questions about the security features of an Intel product
  • Require technical support
  • Want product updates or patches


Please visit Support & Downloads.