CVE-2018-3659

Vulnerability

An information disclosure vulnerability exists in the Intel Platform Trust Technology (PTT) module of the Intel Converged Security and Management Engine (CSME) firmware before version 12.0.5 and Intel Trusted Execution Engine (TXE) firmware before version 4.0. The vulnerability allows an unauthenticated user to potentially disclose sensitive information via physical access to the system. The flaw is present in the PTT implementation within the firmware [1].

Exploitation

The attacker requires physical access to the target system. No authentication is needed to exploit the vulnerability. The exact steps for exploitation are not detailed in the source, but the condition of physical access is the only prerequisite [1].

Impact

Successful exploitation leads to disclosure of information. The nature of the disclosed information (e.g., cryptographic keys, platform secrets) is not specified in the advisory. The attacker gains no additional privileges beyond reading potentially sensitive data accessible via the PTT module [1].

Mitigation

The vulnerability is fixed in Intel CSME firmware version 12.0.5 and Intel TXE firmware version 4.0. Users should update their firmware to these versions or later. Intel has released the advisory INTEL-SA-00142 detailing the update [1].