An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT). This vulnerability does not affect Intel-based consumer PCs or Mac/Apple computers.
If AMT or ISM is provisioned, then the system is vulnerable to network attacks against this vulnerability; if neither AMT or ISM has been provisioned then only local logged-in users are potentially able to exploit the vulnerability to escalate privileges.
Encryption & TPM
If BitLocker encryption is in use then Microsoft recommends it be suspended prior to upgrading the firmware.
Guidance for non-technical users
Contact your Dept IT Support staff for assistance.
Ports used for network communications
TCP 623, 664, 16992, 16993, 16994, and 16995
The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability. Versions before 6 or after 11.6 are not impacted.
Step 1: Determine if you have an Intel AMT, Intel SBA, or Intel ISM capable system: https://communities.intel.com/docs/DOC-5693. If you determine that you do not have an Intel AMT, Intel SBA, or Intel ISM capable system then no further action is required.
Step 2: Utilize the Detection Guide to assess if your system has the impacted firmware: https://downloadcenter.intel.com/download/26755. If you do have a version in the “Resolved Firmware” column no further action is required to secure your system from this vulnerability.
Step 3: Intel highly recommends checking with your system OEM for updated firmware. Firmware versions that resolve the issue have a four digit build number that starts with a “3” (X.X.XX.3XXX) Ex: 126.96.36.19908.
Step 4: If a firmware update is not available from your OEM, mitigations for provided in this document: https://downloadcenter.intel.com/download/26754
If you have any further questions, contact firstname.lastname@example.org