Intel® Converged Security Management Engine (Intel® CSME) Security Advisory: SA-00404
On September 8, 2020, Intel released information for security advisory INTEL-SA-00404. This information was released as part of Intel's regular product update process.
The security advisory discloses that potential security vulnerabilities might allow escalation of privilege in:
- Intel® Active Management Technology (Intel® AMT)
- Intel® Standard Manageability (ISM)
Intel is releasing firmware and software updates to mitigate these potential vulnerabilities.
Refer to the public security advisory INTEL-SA-00404 for complete details on the Common Vulnerabilities and Exposures (CVEs) and Common Vulnerability Scoring System (CVSS) scores.
Find additional information.
Affected products
Intel® Active Management Technology (Intel® AMT), Intel® Standard Manageability (ISM):
Updated version | Replaces version |
11.8.79 | 11.0 through 11.8.77 |
11.11.79 | 11.10 through 11.11.77 |
11.22.79 | 11.20 through 11.22.77 |
12.0.68 | 12.0 through 12.0.64 |
14.0.39 | 14.0.0 through 14.0.33 |
Note | Intel® Manageability Engine (Intel® ME) 3.x through 10.x firmware versions are no longer supported. There are no new releases planned for these versions. |
Recommendations
Contact your system or motherboard manufacturer to obtain a firmware or BIOS update that addresses this vulnerability. Intel cannot provide updates for systems or motherboards from other manufacturers.
Frequently Asked Questions
Click on the topic for details:
How do I mitigate these vulnerabilities?
Contact your system or motherboard manufacturer to obtain a firmware or BIOS update that addresses this vulnerability. Intel cannot provide updates for systems or motherboards from other manufacturers.What are the Vulnerability Descriptions, Common Vulnerabilities and Exposures (CVE) Numbers, and Common Vulnerability Scoring System (CVSS) information for the identified vulnerabilities associated with Intel® AMT and ISM?
See the INTEL-SA-00404 Security Advisory for full information on the CVEs associated with this announcement.How can I determine if I'm impacted by this vulnerability?
The Intel® Converged Security and Management Engine (Intel® CSME) Detection Tool can be run on any platform to assess if the platform is running the latest firmware version. The tool is available in Download Center.I have a system or motherboard manufactured by Intel (Intel® NUC, Intel® Mini PC) that is showing as vulnerable. What do I do?
Go to Intel Support and navigate to the support page for your product. You will be able to check for BIOS or firmware updates for your system.I built my computer from components, so I don't have a system manufacturer to contact. What do I do?
Contact the manufacturer of the motherboard you purchased to build your system. They are responsible for distributing the correct BIOS or firmware update for the motherboard.Are there mitigating factors that might reduce the susceptibility of a system to an exploit of this issue?
- For the network-attack vector, if Intel® AMT is not provisioned, then the system is not vulnerable.
- For the local-attack vector, if the Intel® Local Manageability Service (Intel® LMS) is not installed or is in the stopped or disabled state, the system is not vulnerable.
- If the platform is configured to use Client Initiated Remote Access (CIRA) and environment detection is set to indicate that the platform is always outside the corporate network, the system is in CIRA-only mode and is not exposed to the network vector.
- Intel has provided detection guidance to various security vendors who have released signatures into their intrusion detection/prevention products as an extra measure to help protect customers as they plan their deployment of this update.
- For further details, refer to your Intel rep/system manufacturer.
How can I determine if my system meets these criteria?
- To determine if Intel AMT is provisioned, download the Intel® Endpoint Management Assistant Configuration Tool (Intel® EMA Configuration Tool):
- Install the EMAConfigTool.msi and run from the administrative Windows CLI (command line interface) C:\Program Files (x86)\Intel\EMAConfigTool
- The output of the Intel® EMA Configuration Tool will indicate if Intel® AMT is provisioned and the state of Local Manageability Service (Intel® LMS). The steps below will also show the state of Intel® LMS.
- To determine if Intel® Local Manageability Service (Intel® LMS) is in the stopped or disabled state from Windows Services:
- Press the Windows* key on your keyboard and run services.msc.
- Find Intel® Management and Security Application Local Management Service and check the Startup Type column.
If you have additional questions on this issue, contact Intel Customer Support.