On May 1st 2017, Intel published a security advisory regarding a firmware vulnerability in certain systems that utilize Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM) or Intel® Small Business Technology (SBT). The vulnerability could enable a network attacker to remotely gain access to business PCs or devices that use these technologies.
There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel® Server Platform Services (Intel® SPS), or Intel® Xeon® Processor E3 and Intel® Xeon® Processor E5 workstations utilizing Intel® SPS firmware.
There are two ways this vulnerability may be accessed, please note that Intel® Small Business Technology is only vulnerable to the second method:
Our customer's security is paramount, to that end Stone are working with key vendors to provide firmware updates which close this vulnerability as quickly as possible. Those updates will be able available to download from this article as soon as they are made available to us
Intel has released a discovery tool which will analyse your systems for the vulnerability.
1. Determine if you have an Intel® AMT, Intel® SBA, or Intel® ISM capable systems. If you determine that you do not have an Intel® AMT, Intel® SBA, or Intel® ISM capable system then no further action is required.
2. Utilize the INTEL-SA-00075 Detection Guide to assess if your system has the impacted firmware.
3. Stone highly recommends updating affected systems Management Engine (ME) firmware as soon as they become available. Please review the affected products section of this article for ME firmware update availability.
4. If a firmware update is not yet available, mitigations are provided by the INTEL-SA-00075 Mitigation Guide. It is recommended that unpatched systems should have the steps detailed in the mitgation guide applied to them until such time as an ME firmware update becomes available.
The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability. Versions before 6 or after 11.6 are not impacted.
Where possible, updated BIOSes or patches for Management Engine Firmware are shown below. This article will be updated as more BIOSes or patches become available.
Note 1: Management Engine patches require a compatible, similar management engine version is already installed. For example, a system with a 2xxx Management Engine version will require the BIOS to be updated to include the 3xxx Management Engine version before then applying the patch. The Asus patch update utility may offer to attempt to do this for you by requesting the latest motherboard BIOS .CAP file. Please note that the Asus patches require that Intel Management Engine Components Driver is installed.
Note 2: Always check and test the update process, both in terms of resolving the issue, and also compatibility with your software images etc., before rolling this process out to your users on a wider scale.
Note 3: Windows patches, for example, for the Asus motherboards, that use the Intel Firmware Update Utility, may not run on Windows Server. In this instance, use the DOS patch.
StonePC Lite/Tower / All In One
Legacy Desktop Products
Further information regarding Intel's release schedule for their own branded desktop products can be found here.