Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Remote Privilege Escalation

2017/08/07

Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Remote Privilege Escalation


Potential Security Impact: Remote or local exploitation of manageability features leading to unprivileged system access

Summary

A security vulnerability has been discovered in Intel’s manageability firmware that makes platforms vulnerable to unprivileged system access and impacts all Intel OEMs. The vulnerability is a security flaw that originated in the development and deployment of Intel's Manageability firmware. This results in a vulnerability that allows an unprivileged network or local attacker to gain system privileges on ASUS systems that support Intel manageability (AMT, ISM, and SBT).

Intel has released a security advisory (https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr) as noted below:

There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products.

There are two ways this vulnerability may be accessed please note that Intel® Small Business Technology is not vulnerable to the first issue.

  • An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM). ◦
  • An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).


Mitigation Strategy for Customers

ASUS is working on qualifying and applying the fixes provided by Intel on supported systems. Moreover, Intel has released a downloadable discovery tool located at downloadcenter.intel.com, which will analyze your system for the vulnerability. IT professionals who are familiar with the configuration of their systems and networks can use this tool or can find more details below.

·Step 1: Determine if you have an Intel® AMT, Intel® SBA, or Intel® ISM capable system: https://communities.intel.com/docs/DOC-5693. If you determine that you do not have an Intel® AMT, Intel® SBA, or Intel® ISM capable system then no further action is required.

·Step 2: Utilize the Detection Guide to assess if your system has the impacted firmware: https://downloadcenter.intel.com/download/26755. If you do have a version in the “Resolved Firmware” column no further action is required to secure your system from this vulnerability.

·Step 3: Intel recommends checking with your system OEM for updated firmware. Firmware versions that resolve the issue have a four digit build number that starts with a “3” (X.X.XX.3XXX) Ex: 8.1.71.3608.

·Step 4: If a firmware update is not available from your OEM, follow Intel’s Mitigation Guide: https://downloadcenter.intel.com/download/26754

·For assistance in implementing the mitigations steps provided in this document, please contact Intel Customer Support ; from the Technologies section, select Intel® Active Management Technology (Intel® AMT).

Product Impact

Commercial Desktops

Product

Impact

Minimum ME FW required for fix

Target available date

ME tool Link to download

Last updated

ASUSPRO

D830MT

Affected

11.6.12.3202

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_KabyLake_V1010.zip?_ga=2.1323638.677128072.1497248581-692794007.1496988959

6/12/2017

ASUSPRO

D831MT

Affected

11.6.12.3202

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_KabyLake_V1010.zip?_ga=2.4820915.102592114.1497425741-40071407.1491613400

6/12/2017

ASUSPRO

MD800

Affected

11.6.12.3202

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_KabyLake_V1010.zip?_ga=2.4820915.102592114.1497425741-40071407.1491613400

6/12/2017

ASUSPRO

D830SF

Affected

11.6.12.3202

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_KabyLake_V1010.zip?_ga=2.5869491.102592114.1497425741-40071407.1491613400

6/12/2017

ASUSPRO

SD800

Affected

11.6.12.3202

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_KabyLake_V1010.zip?_ga=2.5869491.102592114.1497425741-40071407.1491613400

6/12/2017

ASUSPRO

D630MT

Affected

11.6.12.3202

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_KabyLake_V1010.zip?_ga=2.50505385.102592114.1497425741-40071407.1491613400

6/12/2017

ASUSPRO

D631MT

Affected

11.6.12.3202

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_KabyLake_V1010.zip?_ga=2.80913303.102592114.1497425741-40071407.1491613400

6/12/2017

ASUSPRO

MD590

Affected

11.6.12.3202

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_KabyLake_V1010.zip?_ga=2.80913303.102592114.1497425741-40071407.1491613400

6/12/2017

ASUSPRO

D630SF

Affected

11.6.12.3202

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_KabyLake_V1010.zip?_ga=2.50515625.102592114.1497425741-40071407.1491613400

6/12/2017

ASUSPRO

SD590

Affected

11.6.12.3202

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_KabyLake_V1010.zip?_ga=2.50515625.102592114.1497425741-40071407.1491613400

6/12/2017

ASUSPRO

D820MT

Affected

11.0.18.3003

Available

Please update BIOS to 0701 or later.

8/1/2017

ASUSPRO

BM2CE

Affected

11.0.18.3003

Available

Please update BIOS to 0701 or later.

8/1/2017

ASUSPRO

BM3CE

Affected

11.0.18.3003

Available

Please update BIOS to 0701 or later.

8/1/2017

ASUSPRO

MD790

Affected

11.0.18.3003

Available

Please update BIOS to 0701 or later.

8/1/2017

ASUSPRO

D820SF

Affected

11.0.18.3003

Available

Please update BIOS to 0701 or later.

8/1/2017

ASUSPRO

SD790

Affected

11.0.18.3003

Available

Please update BIOS to 0701 or later.

8/1/2017

ASUSPRO

D620MT

Affected

11.0.18.3003

Available

Please update BIOS to 0701 or later.

8/1/2017

ASUSPRO

BM2CF

Affected

11.0.18.3003

Available

Please update BIOS to 0701 or later.

8/1/2017

ASUSPRO

BM3CF

Affected

11.0.18.3003

Available

Please update BIOS to 0701 or later.

8/1/2017

ASUSPRO

MD580

Affected

11.0.18.3003

Available

Please update BIOS to 0701 or later.

8/1/2017

ASUSPRO

D620SF

Affected

11.0.18.3003

Available

Please update BIOS to 0701 or later.

8/1/2017

ASUSPRO

SD580

Affected

11.0.18.3003

Available

Please update BIOS to 0701 or later.

8/1/2017

ASUSPRO

D520MT

Not affected

5/10/2017

ASUSPRO

BM2CD

Not affected

5/10/2017

ASUSPRO

D521MT

Not affected

5/10/2017

ASUSPRO

MD330

Not affected

5/10/2017

ASUSPRO

SD330

Not affected

5/10/2017

ASUSPRO

D520SF

Not affected

5/10/2017

ASUSPRO

BP1CD

Not affected

5/10/2017

ASUSPRO

D320MT

Not affected

5/10/2017

ASUSPRO

BM5CD

Not affected

5/10/2017

ASUSPRO

D320SF

Not affected

5/10/2017

ASUSPRO

BP2CD

Not affected

5/10/2017

ASUSPRO

BM1AE

Affected

9.1.41.3024

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_Haswell_V1013.zip?_ga=2.86095000.1493978173.1501489671-692794007.1496988959

8/1/2017

ASUSPRO

BM6AE

Affected

9.1.41.3024

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_Haswell_V1013.zip?_ga=2.86095000.1493978173.1501489671-692794007.1496988959

8/1/2017

ASUSPRO

MD780

Affected

9.1.41.3024

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_Haswell_V1013.zip?_ga=2.86095000.1493978173.1501489671-692794007.1496988959

8/1/2017

ASUSPRO

BP1AE

Affected

9.1.41.3024

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_Haswell_V1013.zip?_ga=2.86095000.1493978173.1501489671-692794007.1496988959

8/1/2017

ASUSPRO

SD780

Affected

9.1.41.3024

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_Haswell_V1013.zip?_ga=2.86095000.1493978173.1501489671-692794007.1496988959

8/1/2017

ASUSPRO

D810MT

Affected

9.1.41.3024

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_Haswell_V1013.zip?_ga=2.86095000.1493978173.1501489671-692794007.1496988959

8/1/2017

ASUSPRO

BM1AF

Affected

9.1.41.3024

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_Haswell_V1013.zip?_ga=2.86095000.1493978173.1501489671-692794007.1496988959

8/1/2017

ASUSPRO

BM6AF

Affected

9.1.41.3024

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_Haswell_V1013.zip?_ga=2.86095000.1493978173.1501489671-692794007.1496988959

8/1/2017

ASUSPRO

MD570

Affected

9.1.41.3024

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_Haswell_V1013.zip?_ga=2.86095000.1493978173.1501489671-692794007.1496988959

8/1/2017

ASUSPRO

BP1AF

Affected

9.1.41.3024

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_Haswell_V1013.zip?_ga=2.86095000.1493978173.1501489671-692794007.1496988959

8/1/2017

ASUSPRO

SD570

Affected

9.1.41.3024

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_Haswell_V1013.zip?_ga=2.86095000.1493978173.1501489671-692794007.1496988959

8/1/2017

ASUSPRO

BM1AD

Not affected

5/10/2017

ASUSPRO

BP1AD

Not affected

5/10/2017

ASUSPRO

SD310

Not affected

5/10/2017

ASUSPRO

BM6AD

Not affected

5/10/2017

ASUSPRO

MD310

Not affected

5/10/2017

Commercial All-in-Ones

Product

Impact

Minimum ME FW required for fix

Target available date

ME Tool Download Link

Last updated

ASUSPRO A4321

Affected

11.6.12.3202

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_SkyLake_V1011.zip?_ga=2.142200882.1493978173.1501489671-692794007.1496988959

8/1/2017

ASUSPRO A6421

Affected

11.6.12.3202

Available

http://dlcdnet.asus.com/pub/ASUS/Desktop/ME_Update/MEUpdate_SkyLake_V1011.zip?_ga=2.142200882.1493978173.1501489671-692794007.1496988959

8/1/2017

ASUSPRO A4110

Not affected

5/10/2017

Commercial Notebooks

Product

Impact

Minimum ME FW required for fix

Target available date

ME Tool Download Link

Last updated

ASUSPRO

B400AV

Affected

8.1.71.3608

6/23/2017

5/10/2017

ASUSPRO

B551LGV

Affected

9.5.61.3012

6/23/2017

5/10/2017

ASUSPRO

B451JAV

Affected

9.1.41.3024

Available

http://dlcdnet.asus.com/pub/ASUS/nb/B451JAV/MEUpdate_Haswell_V1014.zip?_ga=2.149260022.1506985165.1501830577-1393964950.1447032840

8/1/2017

ASUSPRO

BU401LAV

Affected

9.5.61.3012

6/23/2017

5/10/2017

ASUSPRO

BU201LAV

Affected

9.5.61.3012

6/23/2017

5/10/2017

ASUSPRO

BU403UAV

Affected

11.0.18.3003

Available

http://dlcdnet.asus.com/pub/ASUS/Commercial_NB/B9440UAV/MEUpdate_KabyLake_V1012.zip?_ga=2.181692007.1506985165.1501830577-1393964950.1447032840

8/1/2017

ASUSPRO

BU203UAV

Affected

11.0.18.3003

Available

http://dlcdnet.asus.com/pub/ASUS/Commercial_NB/B9440UAV/MEUpdate_KabyLake_V1012.zip?_ga=2.181692007.1506985165.1501830577-1393964950.1447032840

8/1/2017

ASUSPRO

B9440UAV

Affected

11.6.12.3202

Available

http://dlcdnet.asus.com/pub/ASUS/Commercial_NB/B9440UAV/MEUpdate_KabyLake_V1012.zip?_ga=2.181692007.1506985165.1501830577-1393964950.1447032840

8/1/2017