A potential security vulnerability in CSME subsystem may allow escalation of privilege, denial of service, and information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability.
Description: Improper Authentication in subsystem in Intel(R) CSME versions 12.0 through 12.0.48 (IOT only: 12.0.56), versions 13.0 through 13.0.20, versions 14.0 through 14.0.10 may allow a privileged user to potentially enable escalation of privilege, denial of service or information disclosure via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Intel® CSME versions before 12.0.49 (IOT only: 12.0.56), 13.0.21, 14.0.11.
Intel recommends updating to Intel® CSME versions 12.0.49, 13.0.21, and 14.0.11 or later provided by the system manufacturer that addresses these issues.
Intel recommends IOT customers using Intel® CSME version 12.0.55 to update to 12.0.56 or later provided by the system manufacturer that addresses these issues.
This issue was found internally by Intel employees. Intel would like to thank Chedva Gottesman.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.