Intel has issued a critical update after discovering 10 vulnerabilities in its firmware, affecting a wide range of processors including the recently launched Xeon SP family.

The vulnerabilities (INTEL-SA-00086) allow the attacker to run third-party code on, or crash, PCs, servers and IoT devices that rely on particular versions of Intel Management Engine, Trusted Execution Engine or Server Platform Services.

The issue was investigated by Intel over the past three months, after being discovered by researchers from Positive Technologies in August.

– Thinkstock / tcareob72

Coordinated disclosure

“Based on the items identified through the comprehensive security review, an attacker could gain unauthorized access to platform, Intel ME feature, and 3rd party secrets protected by the Intel Management Engine (ME), Intel Server Platform Service (SPS), or Intel Trusted Execution Engine (TXE),” Intel said in an advisory.

Using flaws in the firmware code, an attacker could successfully impersonate ME, SPS and TXE services and gain access to almost all of the information exchanged between the processor and external devices. They could also load and execute arbitrary code without approval from the user or the operating system. Three of the vulnerabilities have been rated 8.2 out of 10 for severity.

The issue affects a wide range of silicon, including:

  • 6th, 7th, and 8th generation Intel Core Processor Family
  • Intel Xeon Processor E3-1200 v5 and v6 Product Family
  • Intel Xeon Processor Scalable Family
  • Intel Xeon Processor W Family
  • Intel Atom C3000 Processor Family
  • Apollo Lake Intel Atom Processor E3900 series
  • Apollo Lake Intel Pentium Processors
  • Intel Celeron N and J series Processors

The company has released a detection tool, designed to establish whether a particular system is vulnerable and should be patched as soon as possible.

“Intel would like to thank Mark Ermolov and Maxim Goryachy from Positive Technologies Research for working collaboratively with Intel on a coordinated disclosure,” the company said.