Intel® Active Management Technology ROBOT TLS Issue Support Information (Intel SA-00141)

Documentation

Product Information & Documentation

000028986

02/04/2020

Intel® has been notified of an issue with the Intel® Active Management Technology firmware.

This issue may allow an unauthenticated attacker to perform remote eavesdropping or man-in-the-middle attacks on out-of-band (OOB) network communication to and from Intel® AMT over a TLS encrypted channel.

This issue affects Intel® Management Engine (Intel® ME) and Intel® Converged Security and Management Engine (Intel® CSME) 2.x/3.x/4.x/5.x/6.x/7.x/8.x/9.x/10.x/11.x/12.0 with Intel® AMT used in corporate PCs and workstations. These firmware versions may be found on certain products:

  • Intel® Core™ 2 and Intel® Centrino™ 2
  • 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, and 8th Generation Intel® Core™ Processor Family
  • Intel® Xeon® Processor E3-1200 v1, v2, v3, v4, v5, and v6 Product Family
  • Intel® Xeon® Processor Scalable Family (Purley Workstation)
  • Intel® Xeon® Processor W Family (Basin Falls Workstation)

Intel has implemented and validated an Intel ME/CSME firmware update that addresses the vulnerability. We've released the updated firmware to system and motherboard manufacturers.

The following Intel ME or Intel CSME versions no longer contain the identified vulnerabilities:

  • Intel® CSME 12.0.6 and higher
  • Intel® CSME 11.8.55 and higher
  • Intel® CSME 11.11.55 and higher
  • Intel® CSME 11.21.55 and higher
  • Intel® ME 10.0.60 and higher
  • Intel® ME 9.5.65 and higher
  • Intel® ME 9.1.45 and higher
Note The Intel® Management Engine (Intel® ME) firmware for the following products is no longer supported. These products won't receive a firmware update: Intel® Core™ 2 Duo vPro™, Intel® Centrino™ 2 vPro™, 1st Generation Intel® Core™, 2nd Generation Intel® Core™, and 3rd Generation Intel® Core™.

Contact your system or motherboard manufacturer to obtain an Intel ME/Intel CSME firmware update or BIOS update that addresses this vulnerability. Intel cannot provide updates for systems or motherboards from other manufacturers.

Frequently Asked Questions

Click or the topic for details:

What are the Vulnerability Descriptions, Common Vulnerabilities and Exposures (CVE) Number, and Common Vulnerability Scoring System (CVSS) information for the identified vulnerabilities associated with Intel ME?
Does Intel® Active Management Technology or Intel® Standard Manageability Technology need to be enabled and provisioned to be vulnerable to these CVEs?
  • Yes. Intel® Active Management Technology or Intel® Standard Manageability Technology must be enabled and provisioned in TLS mode for a system to be vulnerable to these CVEs.
How can I view the ME/CSME version to determine if I'm impacted by this vulnerability?
  • Option 1: Restart your system and access the system BIOS. ME/CSME firmware information may be available in the BIOS information screens. Contact your system manufacturer for assistance.
  • Option 2: Download the Intel SA-00125 Detection tool from Download Center. Extract the tool and run the Intel-SA-00125-GUI.EXE program. Check the ME Info section of the output for the ME version number (example below).

    Intel(R) ME Information
    Engine: Intel(R) Management Engine
    Version: 11.6.29.3287
    SVN: 1

I have a system or motherboard manufactured by Intel (Intel® NUC, Intel® Mini PC, Intel® Server, Intel® Desktop Board) that is showing as vulnerable. What do I do?
  • Go to the Support homepage and Choose your product. You'll be able to check for BIOS or firmware updates for your system.
I built my computer from components. I don't have a system manufacturer to contact. What do I do?
  • Contact the manufacturer of the motherboard you purchased to build your system. They're responsible for distributing the correct BIOS or firmware update for the motherboard.