Intel® Converged Security Management Engine (Intel® CSME) Security Advisory: SA-00391
On November 10, 2020, Intel released information for security advisory INTEL-SA-00391. This information was released as part of Intel's regular product update process.
The security advisory discloses that potential security vulnerabilities in Intel® Converged Security and Manageability Engine (Intel® CSME), Intel® Server Platform Services (Intel® SPS), Intel® Trusted Execution Engine (Intel® TXE), Intel® Active Management Technology (Intel® AMT), Intel® Standard Manageability, and Intel® Dynamic Application Loader (Intel® DAL) may allow escalation of privilege, denial of service, or information disclosure.
Intel is releasing firmware and software updates to mitigate these potential vulnerabilities in:
- Intel CSME
- Intel SPS
- Intel TXE
- Intel® AMT
- Intel® Standard Manageability
Intel is not releasing updates to mitigate these potential vulnerabilities, and Intel has issued a Product Discontinuation Notice for the Intel® DAL SDK.
Refer to the public security advisory INTEL-SA-00391 for complete details on the Common Vulnerabilities and Exposures (CVEs) and Common Vulnerability Scoring System (CVSS) scores.
Additional information is available at our Security Blog
Affected products
Intel® Converged Security and Management Engine (Intel® CSME), Intel® Active Management Technology (Intel® AMT), Intel® Standard Manageability:
| Updated version | Replaces version | Component |
| 11.8.82 | 11.0 through 11.8.80 | Intel® Converged Security and Management Engine (Intel® CSME), Intel® AMT, Intel® Standard Manageability |
| 11.11.82 | 11.10 through 11.11.80 | Intel® CSME, Intel® AMT, Intel® Standard Manageability |
| 11.22.82 | 11.20 through 11.22.80 | Intel® CSME, Intel® AMT, Intel® Standard Manageability |
| 12.0.70 | 12.0 through 12.0.69 | Intel® CSME, Intel® AMT, Intel® Standard Manageability |
| 14.0.45 | 14.0.0 through 14.0.44 | Intel® CSME, Intel® AMT, Intel® Standard Manageability |
| 14.5.25 | 14.5.0 through 14.5.24 | Intel® CSME, Intel® AMT, Intel® Standard Manageability |
| SPS_E5_04.04.04.400 | All previous SPS_E5_04 versions | Intel® Server Platform Services (Intel® SPS) |
| SPS_SoC-X_04.00.04.200 | All previous SPS_SoC-X_04 versions | Intel® SPS |
| SPS_SoC-A_04.00.04.300 | All previous SPS_SoC-A_04 versions | Intel® SPS |
| SPS_E3_04.01.04.200 | All previous SPS_E3_04 versions | Intel® SPS |
| SPS_E3_05.04.200 | All previous SPS_E3_05 versions | Intel® SPS |
| 3.1.80 | 3.1.0 through 3.1.79 | Intel® Trusted Execution Engine (Intel® TXE) |
| 4.0.30 | 4.0.0 through 4.0.29 | Intel® TXE |
| Note | Intel® Manageability Engine (Intel® ME) 3.x through 10.x firmware versions are no longer supported. There are no new releases planned for these versions. Additional information on CVE-2020-8705 with systems running Intel® Converged Security and Management Engine (Intel® CSME) version 11.8.x. 11.12.x, or 11.22.x CVE-2020-8705 only applies to systems with Intel® Boot Guard enabled by the system manufacturer. If your system has Intel Boot Guard enabled, the Intel CSME version 11.8.82.0, 11.12.82.0, or 11.22.82.0 (or later) is required for mitigation. If your system does not have Intel Boot Guard enabled, Intel CSME version 11.8.80, 11.12.80, or 11.22.80 (or later) is sufficient to mitigate the other vulnerabilities in SA-00391. Check with your system manufacturer to verify if Intel Boot Guard is enabled on your system. Use the Intel® Converged Security and Management Engine Version Detection Tool (Intel® CSMEVDT) to determine the CSME version installed on your system. |
Recommendations
Contact your system or motherboard manufacturer to obtain a firmware or BIOS update that addresses this vulnerability. Intel cannot provide updates for systems or motherboards from other manufacturers.
Frequently Asked Questions
Click or the topic for details:
How do I mitigate these vulnerabilities?
Contact your system or motherboard manufacturer to obtain a firmware or BIOS update that addresses these vulnerabilities. Intel cannot provide updates for systems or motherboards from other manufacturers.What are the Vulnerability Descriptions, Common Vulnerabilities and Exposures (CVE) Numbers, and Common Vulnerability Scoring System (CVSS) information for the identified vulnerabilities associated with Intel® AMT and ISM?
See the public security advisory INTEL-SA-00391 for full information on the CVEs associated with this announcement.How can I determine if I'm impacted by this vulnerability?
The Intel CSME Detection Tool can be run on any platform to assess if the platform is running the latest firmware version. To use the toolI have a system or motherboard manufactured by Intel (Intel® NUC, Intel® Mini PC) that is showing as vulnerable. What do I do?
Go to Intel Support and navigate to the support page for your product. You will be able to check for BIOS or firmware updates for your system.I built my computer from components, so I don't have a system manufacturer to contact. What do I do?
Contact the manufacturer of the motherboard you purchased to build your system. They are responsible for distributing the correct BIOS or firmware update for the motherboard.If you have additional questions on this issue, contact Intel Customer Support.