Intel® Converged Security and Management Engine (Intel® CSME) Issue (SA-00125)

Documentation

Product Information & Documentation

000030079

11/30/2018

Intel was notified of an issue with the Intel® Converged Security and Management Engine (Intel® CSME) firmware. An attacker with physical access could do the following on an individual platform:
  • Bypass Intel® CSME anti-replay protection, thus allowing potential brute force attacks on secrets stored inside the Intel CSME;
  • Gain unauthorized access to the Intel® Management Engine BIOS Extension (Intel® MEBX) password; 
  • Tamper with the integrity of the Intel® CSME file system directories or the Server Platform Services and Trusted Execution Environment (Intel® TXE) data files.

See Security Advisory INTEL-SA-00125 for further details.

Affected products/technologies

The issue has been identified as a vulnerability in the Intel® CSME firmware versions: 11.0 through 11.8.50; 11.10 through 11.11.50; 11.20 through 11.21.51, Intel® Server Platform Services firmware version 4.0 (on Purley and Bakerville only) and Intel® TXE version 3.0 through 3.1.50.

Systems using Intel® CSME firmware versions prior to 11.0/ Intel® Server Platform Services 4.0/TXE 3.0 or using firmware versions 11.8.55/11.11.55/11.21.55/ Intel® Server Platform Services 5.0 and higher/TXE 3.1.55 or higher don't contain the identified vulnerability.

Intel® Converged Security and Management Engine (Intel® CSME)
Updated Intel® CSME Firmware version Replaces Intel® CSME Firmware version
11.8.55.3510 11.8.50.3399
11.11.55.1509 11.11.50.1402
11.21.55.1508 11.21.50.1400
Intel® Server Platform Services
Updated SPS Firmware version Replaces SPS Firmware version
SPS_SoC-A_04.00.04.177.0 SPS_SoC-A_04.00.04.172.0
SPS_SoC-X_04.00.04.077.0 SPS_SoC-X_04.00.04.057.0
SPS_E5_04.00.04.381.0 SPS_E5_04.00.04.340.0
Intel® Trusted Execution Engine (TXE)
Updated TXE Firmware version Replaces TXE Firmware version
3.1.55 3.1.50.2222

Contact your system or motherboard manufacturer to obtain an Intel CSME firmware update or BIOS update that addresses this vulnerability. Intel can't provide updates for systems or motherboards from other manufacturers.

The Intel SA-00125 Detection tool is available in Download Center to assist customers in determining if systems are vulnerable to this issue.