It seems that firmware vulnerabilities are just like buses, you wait for one and then several come along at once. You may have spotted this week that Intel has disclosed several security vulnerabilities in the Intel ME, Intel SPS, and TXE. This follows the recent ROCA vulnerability in Infineon Trusted Platform Modules (TPM).
Having recently published some updated guidance for managing firmware on mobile devices within an enterprise network, we thought that the news of these security vulnerabilities would serve as a useful reminder of the importance of automating firmware updates.
Why should you care?
The technologies in question provide advanced management and protection features in many Intel product families in both client and server devices. The affected components are key parts of a range of platform capabilities, including Intel Advanced Management Technology (AMT), Intel Authenticate, and Intel Platform Trust Technology. A successful compromise could therefore give attackers privileged access to a device, as well as compromising keys and credentials that are used to protect the platform.
Does it Affect You?
Intel have provided detailed information on impacted firmware versions and thus products that may be affected. In practice, the issues likely affect a wide range of devices including PCs, IoT devices, workstations and servers. Intel have also released a support guide and an associated tool that can help determine which systems are impacted. Manufacturers will also likely provide their own support information and Intel are providing links to these resources as they become available here.
What should you do?
Right now, the key message that we want to emphasise is that the most important first step to fix these issues is to install the necessary firmware updates.
If you’ve been following our recent blogs on the topic, you’ll know we recently spoke about how to automate UEFI firmware updates on Windows 10 platforms, as well as publishing further details within our end user devices guidance.
It is important to state, that as well as UEFI updates, manufacturers often package a range of firmware updates as part of a system firmware update, including for components such as the ME. Therefore, if you’re following our guidance already, updates should install automatically as per your patching process alongside updates for UEFI.
If you’ve not yet got around to enabling automatic firmware updates within your organisation, now is a great time to start planning to implement them. Have a look at our guidance, and see if you can deploy the required infrastructure to make it happen. If not, manufacturer released patches can be installed manually for supported devices. You should take steps to deploy these patches manually when they are available.
If the manufacturer chooses to provide these specific updates as a standalone tool, the techniques that we have discussed for automated deployment of UEFI updates should still apply equally well.
Conclusion
These vulnerabilities serve as a great example of the importance of firmware updates and the need for a strategy to be in place to automate them. If you are not already applying firmware updates within your organisation, maybe this is a good time to think about starting.
Mike H
Platform Security Researcher
Source: National Cyber Security Centre