After doing an in-depth security review of their products, Intel found a pool of eight critical privilege escalation vulnerabilities affecting Intel Management Engine (ME), Trusted Execution Engine (TXE), and Server Platform Services (SPS), the company said.
By taking advantage of the bugs, an attacker could gain complete control of a target machine, crash system or make it unstable, and run arbitrary code behind the back of the user or the OS, etc. Thus, we can see that the claims made by the Russian researchers weren’t a publicity stunt.
According to the advisory, the vulnerabilities marked with severity level “important” affect the following Intel processors with Intel ME (versions 11.0/11.5/11.6/11.7/11.10/11.20), SPE Firmware version 4.0, and TXE version 3.0:
- 6th, 7th & 8th Generation Intel® Core™ Processor Family
- Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
- Intel® Xeon® Processor Scalable Family
- Intel® Xeon® Processor W Family
- Intel® Atom® C3000 Processor Family
- Apollo Lake Intel® Atom Processor E3900 series
- Apollo Lake Intel® Pentium™
- Celeron™ N and J series Processors
The following hardware manufacturers have released the list of their laptops, desktops, and workstations which are affected by the critical vulnerabilities:
- Dell – 214 models (unpatched)
- Dell Server – 16 models (unpatched)
- Lenovo – 222 models (some models patched)
- Acer – 242 models (unpatched)
- Fujitsu – 165 models (unpatched)
- Intel – 34 (unpatched)
- HPE Server – Unknown (some models patched)
- Panasonic – 12 (unpatched)
In total, there are around 900 different models affected whose population might be in millions. If you aren’t sure whether your system is on the list of vulnerable devices, you can use the Intel-SA-00086 Detection Tool to check your Windows or Linux system.
Further, affected users can keep an eye on the individual pages of their vendors and on this Intel support page to know if information from other vendors flows in.
Intel has released the security patches for the recently disclosed vulnerabilities. But it still puts an uncountable number of machines at risk as the security patches are yet to be made available by the manufacturers to the users.
For more information about the Intel ME security bugs, you can read the security advisory using this link.