Computer giants Dell, Lenovo, and HP are in the process of preparing firmware updates to fix the eight flaws in Intel’s embedded CPU found in a variety of its chips.
Lenovo and Dell have published lists of PCs, laptops and servers affected by Intel’s hidden Management Engine and other bugs affecting Intel Trusted Execution Engine (TXE) and Server Platform Services (SPS).
Some the flaws would allow an attacker to run malware on Intel's hidden CPU and remain invisible to the operating system and any security products.
“An attacker could load and execute arbitrary code outside the visibility of the user, operating system, and hypervisor/virtualization platform; resulting in exfiltration of secrets, subtle manipulation of system operation, or denial of service,” Lenovo said in its advisory.
Intel said the firmware vulnerabilities may be present on a number of processor families, including Intel Core, Xeon, Atom, Pentium and Celeron. It also provided a detection tool to help Windows and Linux users identify whether their systems were vulnerable.
The chip company carried out an audit after researchers from security firm Positive Technologies discovered several bugs in Intel’s closed source ME. Intel disclosed some details about the bugs in an advisory on Monday, noting that PCs, servers and IoT devices could be affected.
In an update to its original advisory Intel said that its Intel NUC mini PC, Compute Stick, and Compute Card were affected. It plans to provide BIOS updates for these products that customers can download around mid-December, according to an advisory.
Lenovo's affected systems include ThinkPad and Yoga laptops, several desktops, all-in-one systems, ThinkStation towers, and some data centre equipment. The hardware maker is aiming to provide updates for 138 affected models by Friday, but there are dozens more it has confirmed at affected but does not have a target date for yet.
Dell has provided firmware updates for a number of its PowerEdge servers and says it is “diligently working to update the affected platforms”.
It’s also identified well over a hundred vulnerable products from its PC lineup, including the multiple Inspiron models, Alienware computers, Vostro, OptiPlex, and XPS laptops. It is yet to determine when firmware updates will be available but will update the advisory when they’re available.
HP said in a statement on Wednesday that it had worked with Intel to provide fixes that will be available on its website.
“Intel has identified a vulnerability in its Management Engine platform that impacts all its OEM partners. HP has worked with Intel to provide fixes for impacted systems that are available on HP.com," the company said.
Acer, Fujitsu, and Panasonic have also provided updates for affected systems.
The updates can be found at Intel’s advisory here.