[UPDATE 23.11.2017 11:20 CET] Intel has reached out and said that it has patched this problem and sent out the relevant updates to system manufacturers:
“Each system manufactuer will then follow their own process to disseminate these updates.”
[22.11.2017 17:46 CET]
Chip giant Intel is warning customers that it has discovered a vulnerability in the firmware of its Management Engine, Server Platform Services, and Trusted Execution Engine. In a security advisory, the company says an array of its processor ranges and products are left vulnerable.
Among the major Intel products affected at 6th, 7th, and 8th generation Intel Core processors. The company’s Xeon processors, Atom processors, Apollo Lake, and Celeron processors are also included.
In its advisory, Intel says the firmware versions of 11.0, 11.5, 11.7, 11.10, and 11.20 are compromised. Server Platform Engine firmware version 4.0, and Trusted Execution Engine version 3.0 are also impacted.
“In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of its Intel Management Engine (ME), Trusted Execution Engine (TXE), and Server Platform Services (SPS) with the objective of enhancing firmware resilience.
As a result, Intel has identified several security vulnerabilities that could potentially place impacted platforms at risk. Systems using ME Firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are impacted.”
The vulnerabilities could allow hackers to access affected systems without user knowledge. In turn, this could open the door to attackers running malicious code without the operating system knowing. Other possible attacks could include changing local security or causing system crashes.
Responding to the Vulnerability
In response to the vulnerabilities, the company released a detection tool that works for Linux and all Windows versions from Windows 7. With this tool, users can run a scan to find out if their system is vulnerable.
Unfortunately, the tool will do nothing to solve a problem if one is found. Intel is offering no fix and instead says OEMs are tasked with releasing updates to patch any issues. It is hardly good news and it seems the company is washing its hands of the problem.