-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.1991.2
       2020.1 IPU - Intel® CSME, SPS, TXE, AMT, ISM and DAL Advisory
                               19 June 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Intel CSME
                   Intel SPS
                   Intel TXT
                   Intel AMT
                   Intel ISM
                   Intel DAL
Publisher:         Intel
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
                   Virtualisation
                   Network Appliance
Impact/Access:     Increased Privileges     -- Remote/Unauthenticated
                   Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-8674 CVE-2020-0597 CVE-2020-0596
                   CVE-2020-0595 CVE-2020-0594 CVE-2020-0586
                   CVE-2020-0566 CVE-2020-0545 CVE-2020-0542
                   CVE-2020-0541 CVE-2020-0540 CVE-2020-0539
                   CVE-2020-0538 CVE-2020-0537 CVE-2020-0536
                   CVE-2020-0535 CVE-2020-0534 CVE-2020-0533
                   CVE-2020-0532 CVE-2020-0531 

Original Bulletin: 
   https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00295.html

Revision History:  June 19 2020: Vendor updated advisory with CVE ID mapping details
                   June 10 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Intel ID:                INTEL-SA-00295
Advisory Category:       Firmware, Software
Impact of vulnerability: Escalation of Privilege, Denial of Service, Information Disclosure
Severity rating :        CRITICAL
Original release:        06/09/2020
Last revised:            06/18/2020

Summary:

Potential security vulnerabilities in Intel Converged Security and
Manageability Engine (CSME), Intel Server Platform Services (SPS), Intel
Trusted Execution Engine (TXE), Intel Active Management Technology (AMT), Intel
Standard Manageability (ISM) and Intel Dynamic Application Loader (DAL) may
allow escalation of privilege, denial of service or information disclosure.
Intel is releasing firmware and software updates to mitigate these potential
vulnerabilities.

Vulnerability Details:

CVEID: CVE-2020-0594

Description: Out-of-bounds read in IPv6 subsystem in Intel(R) AMT and Intel(R)
ISM versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an
unauthenticated user to potentially enable escalation of privilege via network
access.

CVSS Base Score: 9.8 Critical

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2020-0595

Description: Use after free in IPv6 subsystem in Intel(R) AMT and Intel(R) ISM
versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an
unauthenticated user to potentially enable escalation of privilege via network
access.

CVSS Base Score: 9.8 Critical

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2020-0586

Description: Improper initialization in subsystem for Intel(R) SPS versions
before SPS_E3_04.01.04.109.0 and SPS_E3_04.08.04.070.0 may allow an
authenticated user to potentially enable escalation of privilege and/or denial
of service via local access.

CVSS Base Score: 8.4 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

CVEID: CVE-2020-0542

Description: Improper buffer restrictions in subsystem for Intel(R) CSME
versions before 12.0.64, 13.0.32, 14.0.33 and 14.5.12 may allow an
authenticated user to potentially enable escalation of privilege, information
disclosure or denial of service via local access.

CVSS Base Score: 7.8 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2020-0596

Description: Improper input validation in DHCPv6 subsystem in Intel(R) AMT and
Intel(R) ISM versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow
an unauthenticated user to potentially enable information disclosure via
network access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVEID: CVE-2020-0538

Description: Improper input validation in subsystem for Intel(R) AMT versions
before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated
user to potentially enable denial of service via network access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID: CVE-2020-0534

Description: Improper input validation in the DAL subsystem for Intel(R) CSME
versions before 12.0.64, 13.0.32, 14.0.33 and 14.5.12 may allow an
unauthenticated user to potentially enable denial of service via network
access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID: CVE-2020-0533

Description: Reversible one-way hash in Intel(R) CSME versions before 11.8.76,
11.12.77 and 11.22.77 may allow a privileged user to potentially enable
escalation of privilege, denial of service or information disclosure via local
access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-0566

Description: Improper Access Control in subsystem for Intel(R) TXE versions
before 3.175 and 4.0.25 may allow an unauthenticated user to potentially enable
escalation of privilege via physical access.

CVSS Base Score: 7.3 High

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CVEID: CVE-2020-0532

Description: Improper input validation in subsystem for Intel(R) AMT versions
before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated
user to potentially enable denial of service or information disclosure via
adjacent access.

CVSS Base Score: 7.1 High

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

CVEID: CVE-2020-0541

Description: Out-of-bounds write in subsystem for Intel(R) CSME versions before
12.0.64, 13.0.32, 14.0.33 and 14.5.12 may allow a privileged user to
potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2020-0597

Description: Out-of-bounds read in IPv6 subsystem in Intel(R) AMT and Intel(R)
ISM versions before 14.0.33 may allow an unauthenticated user to potentially
enable denial of service via network access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CVEID: CVE-2020-0531

Description: Improper input validation in Intel(R) AMT versions before 11.8.77,
11.12.77, 11.22.77 and 12.0.64 may allow an authenticated user to potentially
enable information disclosure via network access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVEID: CVE-2020-0535

Description: Improper input validation in Intel(R) AMT versions before 11.8.76,
11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially
enable information disclosure via network access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVEID: CVE-2020-0540

Description: Insufficiently protected credentials in Intel(R) AMT versions
before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated
user to potentially enable information disclosure via network access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CVEID: CVE-2020-0536

Description: Improper input validation in the DAL subsystem for Intel(R) CSME
versions before 11.8.77, 11.12.77, 11.22.77, 12.0.64, 13.0.32,14.0.33 and Intel
TXE versions before 3.1.75 and 4.0.25 may allow an unauthenticated user to
potentially enable information disclosure via network access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVEID: CVE-2020-0537

Description: Improper input validation in subsystem for Intel(R) AMT versions
before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow a privileged user to
potentially enable denial of service via network access.

CVSS Base Score: 4.9 Medium

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CVEID: CVE-2020-0545

Description: Integer overflow in subsystem for Intel(R) CSME versions before
11.8.77, 11.12.77, 11.22.77 and Intel TXE versions before 3.1.75, 4.0.25 and
Intel(R) Server Platform Services (SPS) versions before SPS_E5_04.01.04.380.0,
SPS_SoC-X_04.00.04.128.0, SPS_SoC-A_04.00.04.211.0, SPS_E3_04.01.04.109.0,
SPS_E3_04.08.04.070.0 may allow a privileged user to potentially enable denial
of service via local access.

CVSS Base Score: 4.4 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CVEID: CVE-2020-8674

Description: Out-of-bounds read in DHCPv6 subsystem in Intel(R) AMT and Intel
(R) ISM versions before 11.8.77, 11.12.77, 11.22.77, 12.0.64 and 14.0.33 may
allow an unauthenticated user to potentially enable information disclosure via
network access.

CVSS Base Score: 4.3 Medium

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVEID: CVE-2020-0539

Description: Path traversal in subsystem for Intel(R) DAL software for Intel(R)
CSME versions before 11.8.77, 11.12.77, 11.22.77, 12.0.64, 13.0.32, 14.0.33 and
Intel(R) TXE versions before 3.1.75, 4.0.25 may allow an unprivileged user to
potentially enable denial of service via local access.

CVSS Base Score: 3.3 Low

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Affected Products:

Intel CSME Versions 11.0through 11.8.76, 11.10through 11.12.76, 11.20through
11.22.76, 12.0through 12.0.63, 13.0through 13.0.31, 14.0through 14.0.32,
14.5.11.

Intel CSME, Intel AMT, Intel ISM, Intel DAL and Intel DAL Software before
versions 11.8.77, 11.12.77, 11.22.77, 12.0.64, 13.0.32, 14.0.33, 14.5.12:

+--------------------------------------------+--------------------------------------------+
|Updated Version                             |Replaces Version                            |
+--------------------------------------------+--------------------------------------------+
|11.8.77                                     |11.0through 11.8.76                         |
+--------------------------------------------+--------------------------------------------+
|11.11.77                                    |11.10through 11.11.76                       |
+--------------------------------------------+--------------------------------------------+
|11.22.77                                    |11.20through 11.22.76                       |
+--------------------------------------------+--------------------------------------------+
|12.0.64                                     |12.0through 12.0.63                         |
+--------------------------------------------+--------------------------------------------+
|13.0.32 or higher                           |13.0.31                                     |
+--------------------------------------------+--------------------------------------------+
|14.0.33 or higher                           |14.0.32                                     |
+--------------------------------------------+--------------------------------------------+
|14.5.12 or higher                           |14.5.11                                     |
+--------------------------------------------+--------------------------------------------+

Intel Server Platform Services firmware before versions SPS_E5_04.01.04.380.0,
SPS_SoC-X_04.00.04.128.0, SPS_SoC-A_04.00.04.211.0, SPS_E3_04.01.04.109.0,
SPS_E3_04.08.04.070.0:

+--------------------------------------------+--------------------------------------------+
|Updated Version                             |Replaces Version                            |
+--------------------------------------------+--------------------------------------------+
|SPS_E5_04.01.04.380.0                       |SPS_E5_04.00.00.000.0 through               |
|                                            |                                            |
|                                            |SPS_E5_04.01.04.379.0                       |
+--------------------------------------------+--------------------------------------------+
|SPS_SoC-X_04.00.04.128.0                    |SPS_SoC-X_04.00.00.000.0 through            |
|                                            |                                            |
|                                            |SPS_SoC-X_04.00.04.127.0                    |
+--------------------------------------------+--------------------------------------------+
|SPS_SoC-A_04.00.04.211.0                    |SPS_SoC-A_04.00.00.000.0 through            |
|                                            |                                            |
|                                            |SPS_SoC-A_04.00.04.210.0                    |
+--------------------------------------------+--------------------------------------------+
|SPS_E3_04.01.04.109.0                       |SPS_E3_04.00.00.000.0 through               |
|                                            |                                            |
|                                            |SPS_E3_04.01.04.103.0                       |
+--------------------------------------------+--------------------------------------------+
|SPS_E3_04.08.04.070.0                       |SPS_E3_04.08.00.000.0 through               |
|                                            |                                            |
|                                            |SPS_E3_04.08.04.065.0                       |
+--------------------------------------------+--------------------------------------------+
|SPS_E5_04.01.04.380.0                       |SPS_E5_04.00.00.000.0 through               |
|                                            |                                            |
|                                            |SPS_E5_04.01.04.379.0                       |
+--------------------------------------------+--------------------------------------------+

Intel TXE:

+--------------------------------------------+--------------------------------------------+
|Updated Version                             |Replaces Version                            |
+--------------------------------------------+--------------------------------------------+
|3.1.75                                      |3.0through 3.1.70                           |
+--------------------------------------------+--------------------------------------------+
|4.0.25                                      |4.0through 4.0.20                           |
+--------------------------------------------+--------------------------------------------+

The following CVEs assigned by Intel, correspond to a subset of the CVEs
disclosed on 6/16/2020 as part of VU#257161 :

+--------------------------------------------+--------------------------------------------+
|Disclosed in INTEL-SA-00295                 |Disclosed in VU#257161                      |
+--------------------------------------------+--------------------------------------------+
|CVE-2020-0594                               |CVE-2020-11899                              |
|                                            |                                            |
|CVE-2020-0597                               |                                            |
+--------------------------------------------+--------------------------------------------+
|CVE-2020-0595                               |CVE-2020-11900                              |
+--------------------------------------------+--------------------------------------------+
|CVE-2020-8674                               |CVE-2020-11905                              |
+--------------------------------------------+--------------------------------------------+

The remaining CVEs disclosed in VU#257161 have been assessed and found to be
not applicable to Intel Products.

Note: Firmware versions of Intel ME 3.x thru 10.x, Intel TXE 1.x thru 2.x and
Intel Server Platform Services 1.x thru 2.X are no longer supported, thus were
not assessed for the vulnerabilities/CVEs listed in this Technical Advisory.
There is no new release planned for these versions.

Recommendations:

Intel recommends that users of Intel CSME, Intel SPS, Intel TXE, Intel AMT,
Intel ISM and Intel DAL update to the latest versions provided by the system
manufacturer that address these issues.

Acknowledgements:

Intel would like to thank Mark Ermolov, Dmitry Sklyarov from Positive
Technologies, and Maxim Goryachy (independent) (CVE-2020-0566), Eran Shimony
(CVE-2020-0539), Shlomi Oberman from JSOF (CVE-2020-8674), and an Intel Partner
(CVE-2020-0545) for reporting these issues. CVE-2020-0594, CVE-2020-0595,
CVE-2020-0596, and CVE-2020-0597 were also found externally.

The additional issues were found internally by Intel employees. Intel would
like to thank Arie Haenel, Chaya Vayzer, Moshe Wagner, Nir Ben Yosef, Piotr
Skierkowski, Yaakov Cohen, Yanai Moyal, and Yossef Kuszer.

Intel, and nearly the entire technology industry, follows a disclosure practice
called Coordinated Disclosure, under which a cybersecurity vulnerability is
generally publicly disclosed only after mitigations are available.

Revision History

Revision    Date               Description
1.0      06/09/2020 Initial Release
1.1      06/16/2020 Updated Acknowledgements
1.2      06/18/2020 Added CVE ID mapping to VU#257161

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXuwG4eNLKJtyKPYoAQj5kA//bzvg0Xu0l2OIMCC/CeHPj7Z2KKmDWSqH
cO64EHrFsSCtqiCpuSV1hkEZRgHK8bzvT4X7wOEc7crnk9FfMsWnCW7Uvm26QRYQ
dYHyvCA4zt1aFgysRNXnnNl8rTpneV2UwmCP2nHD9LJ6c3QAoz+58S3HkVkBSqD2
q/7Rxhlc6H9lAYhQSFgkQsaKOZPjEAwFc0YheoNz0LgZsjeePkQzsSNsOnbscf3i
r0Zf1N5rkpHvKxYKOY8D1sCidtC7bXJXVZFUWxYb0RryvYT9VPdOKu/t8zMUtg/G
tYezCjXZ/iyBpm7e7sbJJ1v9N0ZLAtFCi/VcTLJ7BXVDvaqbk4opiTZ4D92TkwwE
H5ThgQfxygXlMez37Uyl/VUWWhvA3/97PIG86yVcSqfk9uv7MNqRpbSMJz8dnD+G
Dlq2jDUVD6TfkBEo6fq+W5IkjvJAJXIFO6YBdWq7/ktAw0T0ab4navRiwJdkk2nI
4bxGS0Fd2NCJ+j9nd2C8Cr4f5Sa4twM+adT190ApfVORlH2cy2plQyJIi3wqsIIE
ysE706S//9lohyJOBmyThcL+OIPdo+LaOfzkeis7EBGLjnk6x1YJLTfD2TGb/Szi
H1F/3FS6Oe+MT7JuaGsNO9WMvX5i/QpqQgmGSeGjCBPqvdl5KnY3b4Grl++lQola
8DCq5I4znN4=
=oW5/
-----END PGP SIGNATURE-----