Intel® Converged Security and Management Engine, Intel® Server Platform Services, Intel® Trusted Execution Engine, and Intel® Active Management Technology Advisory (Intel-SA-00213)
On May 14, 2019, Intel released information for security advisory Intel-SA-00213. This information was released as part of Intel's regular product update process.
The security advisory discloses that multiple potential security vulnerabilities in Intel® Converged Security and Management Engine (Intel® CSME), Intel® Server Platform Services (Intel® SPS), Intel® Trusted Execution Engine (Intel® TXE), and Intel® Active Management Technology (Intel® AMT) may allow users to potentially:
- Escalate privileges.
- Disclose information.
- Cause a denial of service.
Intel is releasing Intel® CSME, Intel® SMS, Intel® TXE, and Intel® AMT updates to mitigate these potential vulnerabilities.
Refer to the public security advisory SA-00213 for complete details on the CVEs and CVSS scores.
You can find additional information on this vulnerability in the CVE-2019-0090 Technical Whitepaper.
February 11, 2020 Update: Intel is emphasizing previously provided security guidance related to CVE-2019-0090:
- Downgrading Intel® Management Engine Firmware (Intel® ME FW), which is a physical attack, is a known issue affecting any Intel® CSME version before and including 11.x, Intel® TXE 3.x, 4.x, and Intel® SPS 3.x, 4.x.
- End users should maintain physical possession of their platform.
- Intel highly recommends that system manufacturers follow Intel's requirement to complete the End of Manufacturing process and set manufacturing mode to disabled.
- Intel recommends that end users adopt best security practices by installing updates as soon as they become available and being continually vigilant to detect and prevent intrusions and exploitations.
Intel® CSME prior to versions 11.8.65, 11.11.65, 11.22.65, 12.0.35
|Intel® CSME, Intel® Active Management Technology, and Intel® DAL|
|Updated Intel® CSME Firmware Version||Replaces Intel® CSME Firmware Version|
|11.8.65||11.0 through 11.8.60|
|11.11.65||11.10 through 11.11.60|
|11.22.65||11.20 through 11.22.60|
|12.0.35||12.0 through 12.0.20|
Intel® Server Platform Services prior to version SPS_E3_05.01.03.094.0
|Intel® Server Platform Services|
|Updated Intel® Server Platform Services Firmware Version||Replaces Intel® Server Platform Services Firmware Version|
|SPS_E3_05.01.03.094.0||SPS_E3_05.00.00.000.0 through SPS_E3_05.00.04.027.0|
Intel® Trusted Execution Engine prior to versions TXE 3.1.65, TXE 4.0.15
|Intel® Trusted Execution Engine|
|Updated Intel® Trusted Execution Engine Firmware Version||Replaces Intel® Trusted Execution Engine Firmware Version|
|3.1.65||3.0 through 3.1.50|
|4.0.15||4.0 through 4.0.5|
|Note||Firmware versions Intel® Manageability Engine (Intel® ME) 3.x through 10.x, Intel® Trusted Execution Engine (Intel® TXE) 1.x through 2.x, and Intel® Server Platform Services 1.x through 2.X are no longer supported. Therefore, they weren't assessed for the vulnerabilities/CVEs listed in this Security Advisory. There's no new release planned for these versions.|
Contact your system or motherboard manufacturer to obtain a firmware or BIOS update that addresses this vulnerability. Intel can't provide updates for systems or motherboards from other manufacturers.
Frequently Asked Questions
Click or the topic for details:
What are the Vulnerability Descriptions, Common Vulnerabilities and Exposures (CVE) Numbers, and Common Vulnerability Scoring System (CVSS) information for the identified vulnerabilities associated with Intel Manageability Engine?
- See the Intel-SA-00213 Security Advisory for full information on the CVEs associated with this announcement.
How can I determine if I'm impacted by this vulnerability?Reboot your system and access the system BIOS. Intel® ME/Intel® CSME firmware information may be available in the BIOS information screens. If the information isn't available in the system BIOS, contact your system manufacturer for assistance.
I have a system or motherboard manufactured by Intel (Intel® NUC, Intel® Mini PC, Intel® Server, Intel® Desktop Board) that is showing as vulnerable. What do I do?Go to Intel® Support and navigate to the support page for your product. You'll be able to check for BIOS or firmware updates for your system.
I built my computer from components, but I don't have a system manufacturer to contact. What do I do?Contact the manufacturer of the motherboard you purchased to build your system. They are responsible for distributing the correct BIOS or firmware update for the motherboard.
If you have additional questions on this issue, contact Intel Customer Support.