Intel ID: INTEL-SA-00118
Product family: Intel® CSME
Impact of vulnerability: Elevation of Privilege
Severity rating: Important
Original release: 07/10/2018
Last revised: 07/10/2018

Summary:
In an effort to continuously improve the robustness of the Intel® Converged Security Management Engine (Intel® CSME), Intel has performed a security review of its Intel® CSME with the objective of continuously enhancing firmware resilience.

Description:
In an effort to continuously improve the robustness of the Intel® Converged Security Management Engine (Intel® CSME), Intel has performed a security review of its Intel® CSME with the objective of continuously enhancing firmware resilience.

As a result, Intel has identified security vulnerabilities that could potentially place affected platforms at risk.

Affected products:
The issues affects Intel® CSME 11.x used in consumer/corporate PCs, IOT devices, and workstations. The affected firmware version may be found on these products:

• 6th, 7th, & 8th Generation Intel® Core™ Processor Family
• Intel® Xeon® Processor E3-1200 v5 & v6 Product Family (Greenlow)
• Intel® Xeon® Processor W Family (Basin Falls)

CVE ID CVE Title CVSSv3 severity CVSSv3 Vectors
CVE-2018-3627 Logic bug in Intel® Converged Security Management Engine 11.x may allow an attacker to execute arbitrary code via local privileged access 7.5 (High) CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Recommendations:
Intel recommends that end users check with their system manufacturers and apply any available updates as soon as practical, based on the versions listed below, or higher:

Associated CPU Generation Resolved Firmware versions or higher
6th Generation Intel® Core™ Processor Family Intel® CSME 11.8.50
7th Generation Intel® Core™ Processor Family Intel® CSME 11.8.50
8th Generation Intel® Core™ Processor Family Intel® CSME 11.8.50
Intel® Xeon® Processor E3-1200 v5 & v6 Product Family Intel® CSME 11.8.50
Intel® Xeon® Processor W Family Intel® CSME 11.11.50

Acknowledgements:
CVE-2018-3627 was discovered by Intel as part of continuously improving the robustness of the Intel® Converged Security Management Engine (Intel® CSME).

Revision History

Revision Date Description
1.0 07/10/2018 Initial Release

CVE Name: CVE-2018-3627


Source: INTEL-SA-00118