Potential security vulnerabilities in the Intel® Converged Security Management Engine (CSME), Active Management Technology (AMT) and Intel® Standard Manageability software may allow escalation of privilege or denial of service. Intel is releasing software updates to mitigate these potential vulnerabilities.
Description: Improper input validation in some firmware for Intel(R) AMT and Intel(R) Standard Manageability before versions 11.8.94, 11.12.94, 11.22.94, 12.0.93, 14.1.70, 15.0.45, and 16.1.27 in Intel (R) CSME may allow an unauthenticated user to potentially enable denial of service via network access.
CVSS Base Score: 8.6 High
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Description: Improper Input validation in firmware for some Intel(R) Converged Security and Management Engine before versions 15.0.45, and 16.1.27 may allow a privileged user to potentially enable denial of service via local access.
CVSS Base Score: 7.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H
Description: Improper access control in the Intel(R) CSME software installer before version 2126.96.36.199 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Intel® CSME software installer before version 2306.4.10.0. Intel® CSME, Intel® AMT and Intel® Standard Manageability before versions 3.1.94, 4.0.48, 11.12.94, 11.22.94, 11.8.94, 12.0.93, 13.0.65, 13.30.35, 13.50.25, 14.1.70, 14.5.50, 15.0.45, and 16.1.27.
Intel recommends that users of Intel® Converged Security Management Engine (CSME), Active Management Technology (AMT) and Intel® Standard Manageability software update to the latest version provided by the system manufacturer that addresses these issues.
CVE-2022-29871 was found externally. CVE-2022-38102 and CVE-2022-36392 were found internally by Intel employees.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.