Intel® Converged Security Management Engine (Intel® CSME) Security Advisory: SA-00575

Documentation

Product Information & Documentation

000089300

04/05/2022

On February 8, 2022, Intel released information for security advisory INTEL-SA-00575. This information was released as part of Intel's regular product update process.

The security advisory discloses that a potential security vulnerability in the Intel® Active Management Technology (Intel® AMT) SDK, Intel® Setup
and Configuration Software (SCS) and Intel® Management Engine BIOS eXtensions (Intel® MEBx) may allow escalation of privilege.

Intel is releasing software and firmware updates to mitigate this potential vulnerability.

Refer to the public security advisory INTEL-SA-00575 for complete details on the Common Vulnerabilities and Exposures (CVEs) and Common Vulnerability Scoring System (CVSS) scores.

Affected products

Intel® AMT SDK before version 16.0.3.
Intel® SCS before version 12.2.
Intel® MEBx before versions 11.0.0.0012, 12.0.0.0011, 14.0.0.0004 and 15.0.0.0004.

Note

Firmware versions of Intel® AMT 2.x thru 10.x are no longer supported versions. There is no new general release planned for these versions.

Recommendations:

Intel recommends updating the Intel® AMT SDK to version 16.0.3 or later.
Intel recommends updating the Intel® SCS to version 12.2 or transition to the latest version of Intel® Endpoint Management Assistant (Intel® EMA).
Intel recommends that users of the Intel® MEBx upgrade to versions 11.0.0.0012, 12.0.0.0011, 14.0.0.0004 and 15.0.0.0004 or later provided by the system manufacturer that addresses this issue.

Updates are available for download at these locations:
/content/www/us/en/developer/tools/active-management-technology-sdk/overview.html
/content/www/us/en/download/19449/intel-endpoint-management-assistant-intel-ema.html

Chipset/SOC or Processor

MEBx mitigated version or higher

Intel® 500 Series Chipset

15.0.0.0004

Intel® 500 Series Chipset

15.0.0.0004

Intel® 400 Series Chipset

14.0.0.0004

8th Gen Intel® Core™ processor

Pentium® Gold processor series (G54XXU)

Celeron® processor 4000 series

 

12.0.0.0011

8th Gen Intel® Core™ processor

11.0.0.0012

Intel® 300 Series Chipset

12.0.0.0011

Intel® C240 series chipset

12.0.0.0011

Intel® 200 series chipset

Intel® 100 series chipset

11.0.0.0012

Intel® C230 series chipset

11.0.0.0012

Intel® 100 series chipset

11.0.0.0012

Intel® C420 chipset

11.0.0.0012

Intel® C620 series chipset

11.0.0.0012

 

Note

Intel® Manageability Engine (Intel® ME) 3.x through 10.x firmware versions are no longer supported. There are no new releases planned for these versions.

Recommendations

Contact your system or motherboard manufacturer to obtain a firmware or BIOS update that addresses this vulnerability. Intel cannot provide updates for systems or motherboards from other manufacturers.

 

Frequently Asked Questions

Click or the topic for details:

How do I mitigate these vulnerabilities?Contact your system or motherboard manufacturer to obtain a firmware or BIOS update that addresses this vulnerability. Intel cannot provide updates for systems or motherboards from other manufacturers.
What are the Vulnerability Descriptions, Common Vulnerabilities and Exposures (CVE) Numbers, and Common Vulnerability Scoring System (CVSS) information for the identified vulnerabilities associated with Intel® AMT and ISM?See the INTEL-SA-00575 Security Advisory for full information on the CVEs associated with this announcement.
How can I determine if I'm impacted by this vulnerability?The Intel® Converged Security and Management Engine (Intel® CSME) Detection Tool can be run on any platform to assess if the platform is running the latest firmware version. The tool is available in Download Center.
I have a system or motherboard manufactured by Intel (Intel® NUC, Intel® Mini PC) that is showing as vulnerable. What do I do?Go to Intel Support and navigate to the support page for your product. You will be able to check for BIOS or firmware updates for your system.
I built my computer from components, so I don't have a system manufacturer to contact. What do I do?Contact the manufacturer of the motherboard you purchased to build your system. They are responsible for distributing the correct BIOS or firmware update for the motherboard.

If you have additional questions on this issue, contact Intel Customer Support.