Intel CSME / SPS and TXE Vulnerabilities - US

Lenovo Security Advisory: LEN-22810

Potential Impact: Elevation of privilege, information disclosure, denial of service

Severity: High

Scope of Impact: Industry-wide

CVE Identifier: CVE-2018-3655, CVE-2018-3657, CVE-2018-3658, CVE-2018-3659, CVE-2018-3616

Summary Description: Intel has disclosed multiple Converged Security and Management Engine (CSME) / Server Platform Services (SPS) and Trusted Execution Environment (TXE) vulnerabilities, allowing an attacker to potentially expose information stored by CSME, change CSME / SPS data or settings, execute code on CSME, and deny service via network access. Please see the Intel security advisories referenced below for details.

Mitigation Strategy for Customers (what you should do to protect yourself): All CSME / SPS and TXE fixes are rolled-up into firmware packages for each model. Intel recommends upgrading to the CSME or SPS firmware to the version (or newer) indicated for your model in the Product Impact section below.

Product Impact: