Intel SA-00075 Security Bulletin - Intel Active Management Technology (AMT), Intel Standard Manageability (ISM) and Intel Small Business Technology

Article ID: 675
Last updated: 17 Aug, 2017
Revision: 35
print  Print
share  Share
Views: 1261
Posted: 10 May, 2017
by Paul Watkins
Updated: 17 Aug, 2017
by Andrew Sharrad

On May 1st 2017, Intel published a security advisory regarding a firmware vulnerability in certain systems that utilize Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM) or Intel® Small Business Technology (SBT). The vulnerability could enable a network attacker to remotely gain access to business PCs or devices that use these technologies.


There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products.  This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel® Server Platform Services (Intel® SPS), or Intel® Xeon® Processor E3 and Intel® Xeon® Processor E5 workstations utilizing Intel® SPS firmware.


There are two ways this vulnerability may be accessed, please note that Intel® Small Business Technology is only vulnerable to the second method:

  • An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
  • An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).

Threat level


  • A system with unpatched ME firmware, running the Intel Local Manageability Service, is affected, whether or not vPro is provisioned.
  • A system with unpatched ME firmware, with vPro provisioned, is affected, whether or not the Local Manageability Service is running.


Our customer's security is paramount, to that end Stone are working with key vendors to provide firmware updates which close this vulnerability as quickly as possible. Those updates will be able available to download from this article as soon as they are made available to us

Intel has released a discovery tool which will analyse your systems for the vulnerability.


1. Determine if you have an Intel® AMT, Intel® SBA, or Intel® ISM capable systems. If you determine that you do not have an Intel® AMT, Intel® SBA, or Intel® ISM capable system then no further action is required.

2. Utilize the INTEL-SA-00075 Detection Guide to assess if your system has the impacted firmware.

3. Stone highly recommends updating affected systems Management Engine (ME) firmware as soon as they become available. Please review the affected products section of this article for ME firmware update availability.

  • Management Engine (ME) Firmware versions that resolve the issue have a four digit build number that starts with a “3” (X.X.XX.3XXX) Example:
  • After the BIOS or ME patch update, to completely mitigate any risks, any previously configured AMT functionality should be de-provisioned and then re-configured. This prevents any compromised machines from retaining "hacked" logins.

4. If a firmware update is not yet available, mitigations are provided by the INTEL-SA-00075 Mitigation Guide. It is recommended that unpatched systems should have the steps detailed in the mitgation guide applied to them until such time as an ME firmware update becomes available.

  • De-provision AMT
  • Fully disable the Local Management / Manageability Service within the operating system

Affected Products

The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability. Versions before 6 or after 11.6 are not impacted.

Where possible, updated BIOSes or patches for Management Engine Firmware are shown below. This article will be updated as more BIOSes or patches become available.

Note 1: Management Engine patches require a compatible, similar management engine version is already installed. For example, a system with a 2xxx Management Engine version will require the BIOS to be updated to include the 3xxx Management Engine version before then applying the patch. The Asus patch update utility may offer to attempt to do this for you by requesting the latest motherboard BIOS .CAP file. Please note that the Asus patches require that Intel Management Engine Components Driver is installed.

Note 2: Always check and test the update process, both in terms of resolving the issue, and also compatibility with your software images etc., before rolling this process out to your users on a wider scale.

Note 3: Windows patches, for example, for the Asus motherboards, that use the Intel Firmware Update Utility, may not run on Windows Server. In this instance, use the DOS patch.

StonePC Lite/Tower / All In One

 Product code / General BIOS Update Link

Motherboard model

Updated ME Download

BOAMOT-458 Asus P8B75-M

(Asus Ivybridge)

Windows Patch: 8.1.x.3608

BOAMOT-461 Asus P8Q77-M


Asus B85M-E

(Asus Haswell)

Windows Patch: (updated 29/6/17 with improved update utility)

DOS Patch:


Asus CS-B


Asus Q87T


Asus Q87M-E


Asus B150M-A

(Asus Skylake / Kaby Lake)

Windows Patch:

DOS Patch:


Asus Q170M-C


Asus Q170T


Asus B150M-A/M.2


Asus B250M-A


Asus Q270M-C

ISRMOT-174 Gigabyte MW50-SV0

(Gigabyte C612 Xeon Workstation)

BIOS R06 with patched Workstation / HEDT ME Firmware.

Legacy Desktop Products

Stock code

Motherboard model

Patched ME firmware



Windows Patch:



Windows Patch:







Windows Patch:







Further information regarding Intel’s release schedule for their own branded desktop products can be found here.

StonePC Micro

Stock code

Kit model

Motherboard model

Patched ME firmware




Windows BIOS:




Windows BIOS:

Stone Notebooks

Chassis Part Code

Notebook Model

Patched ME firmware




Not currently available, please follow mitigating actions.




Applies to:

  • Stone Desktop, Notebook and NUC products with Intel AMT (such as B or Q series chipsets),

Asus B150M-A/M.2

This article was:  

Prev     Next
Stone Branded Products       Intel SA-00086 - Intel Management Engine Critical Firmware Update