A flaw was
discovered by researchers at Positive Technologies in the security of two of the four cryptographic keys ME uses to store sensitive data. If this story seems a bit familiar, it is: the same organisation found a
previous 2017 weakness in the same Intel ME system, that affected all four keys, which itself capitalised on an even older discovery.
If this is starting to sound involved, what matters is the effect: the ability to compromise and generally mess around with files stored by ME, including the key used to secure the default admin password that protects remote access to ME itself.
Identified as
CVE-2018-3655, and with updates now released, the issue affects firmware versions: 11.0 through 11.8.50; 11.10 through 11.11.50; 11.20 through 11.21.51; Intel Server Platform Services firmware version 4.0 (on Purley and Bakerville only); and Intel TXE version 3.0 through 3.1.50.
In its
advisory, Intel recommends administrators contact their system or motherboard manufacturer to obtain an update that addresses this vulnerability.