Intel ID: |
INTEL-SA-00131 |
Advisory Category: |
Firmware |
Impact of vulnerability: |
Escalation of Privilege, Information Disclosure |
Severity rating: |
HIGH |
Original release: |
09/11/2018 |
Last revised: |
12/18/2018 |
Summary:
A potential security vulnerability in power management controller firmware may allow escalation of privilege and/ or information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability.
Vulnerability Details
CVEID: CVE-2018-3643
Description: A vulnerability in Power Management Controller firmware in systems using specific Intel® Converged Security and Management Engine (CSME) before version 12.0.6 or Intel® Server Platform Services firmware before version 4.x.04 may allow a privileged user to potentially escalate privileges or disclose information via local access.
Description: A vulnerability in Power Management Controller firmware in systems using specific Intel(R) Converged Security and Management Engine (CSME) before version 11.8.55, 11.11.55, 11.21.55, 12.0.6 or Intel(R) Server Platform Services firmware before version 4.x.04 may allow an attacker with administrative privileges to uncover certain platform secrets via local access or to potentially execute arbitrary code.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected Products:
Systems using the following firmware versions and associated products are impacted.
Products containing Intel® Server Platform Services firmware version 4.x:
Impacted Product |
Mitigated FW version |
Intel® Atom® Processor C3000 Series Platform |
4.00.04.177.0 |
Intel® Xeon® D-2100 Processor Family Platform |
4.00.04.077.0 |
Intel® Xeon® Scalable Processor Family Platforms |
4.00.04.381.0 |
Intel® C620 Series Chipset Family (PCIe End Point Mode) |
4.00.04.381.0 |
Intel® QuickAssist Adapter 8960/8970 Products |
4.x.05 |
Products containing Intel® CSME firmware version 11.x or later:
Impacted Product |
Mitigated FW(CSME) version |
6th Generation Intel® Core™ Processor Family Platforms |
11.8.55 |
7th Generation Intel® Core™ Processor Family Platforms |
11.8.55 |
8th Generation Intel® Core™ Processor Family Platforms |
12.0.6 |
Intel® Xeon® E3-1200/1500 v5 Processor Family Platforms |
11.8.55 |
Intel® Xeon® E3-1200/1500 v6 Processor Family Platforms |
11.8.55 |
Intel® Xeon® W Processor Family Platform |
11.11.55 |
Intel® Core™ X-Series Processor Family Platform |
11.11.55 |
Intel® Xeon® Scalable Processors |
11.21.55 |
Recommendations:
Intel recommends that end users should check with their system manufacturers and apply any available updates as soon as practical, based on the versions listed above, or higher.
Acknowledgements:
This issue was found internally by Intel.
Revision History
Revision |
Date |
Description |
1.0 |
09/11/2018 |
Initial Release |
1.1 |
12/18/2018 |
Vulnerability description updated |