Intel Firmware Security Bulletin issued

Topic

New Reply

Six months on from the initial vulnerability disclosure on Intel Management Engine, Intel have issued a follow-up disclosure today, on a firmware vuln[See the full post at: Intel Firmware Security Bulletin issued]

Link to Code Red topic: Intel Identifies Security Vulnerabilites: ME, SPS, TXE

3 users thanked author for this post.

Elly, AJNorth, woody

Reply | Quote

Replies

My Fujitsu was not updated automatically. I had to run the Desk Update tool manually and then it offered the driver update, which I installed and then ran the Detection tool which now states I’m protected (except from Intel itself of course…).

1 user thanked author for this post.

rc primak

Reply | Quote

I would hope not to get firmware updates automatically. Nothing worse than “my computer is very slow something is wrong, I guess I need to force a power cycle”, “Oh wait a firmware update was happening, now my hardware is ruined”

Reply | Quote

Much more serious when it attacks hardware flaws. Can inflict damage no matter what OS you run.  In some ways glad I still run older CPU’s not affected except for my SkyLake CPU in my laptop.

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

Same here. I built my home computers in 2014, and I couldn’t afford the latest Intel CPUs. So, lucky me, my computers are not affected. All pass Intel’s tests for the ME vulnerabilities.

Reply | Quote

Pardon me for being a bit confused here, but after reading which processors are affected I’m still head scratching.

Can someone tell me if the i5-650 Clarkdale is vulnerable?

Reply | Quote

6th, 7th & 8th Generation Intel® Core™ Processor Family re affected.
Yours is a Legacy Intel Core Processor.
See information here

Reply | Quote

Ok, here’s a brief primer on how to tell just which generation your Intel Core® processor is.

Most come with a designation such as i#-### or i#-####, where the # symbol is replaced by actual digits.

For those that have just three digits after the i# and the dash (-), such as i5-750 or, to use the example from the post just above this one, i5-650, you have what Intel calls the Legacy processors for the Core line, and that’s also called the first generation, so you’re not affected by this vulnerability.

For those whose processor number has four digits after the i#- part, the FIRST digit after the dash denotes the generation of your Core processor. So, an i3-2120, for example, would be a second generation Core processor, and so on.

Basically, if you have a processor that’s any of the following sequences you might be vulnerable and you should use the tool that Intel has released for confirmation:

i3-6###, 7### or 8###

i5-6###, 7### or 8###

i7-6###, 7### or 8###

A link for Intel’s tool can be found in post 146683 a little ways above this one.

Reply | Quote

Is this something ordinary home users need to worry about? These Intel bulletins are written for gearheads and make Microsoft KB articles look like models of clarity.

Intel’s detection tool says I’m “vulnerable” but Intel does not offer a firmware update to the 6th gen Core CPU to fix it., unless you’re a Linux user (I’m not). Nothing for Windows users. Instead Intel advises contacting the system manufacturer for firmware updates. Yeah well that’s me. I built the PC. The mobo manufacturer hasn’t issued a BIOS update for a year, so they’ve got nothing to offer here.

Reply | Quote

Just checked the Gigabyte website and found a new BIOS update for my B250M-D3H motherboard running an i5-7600 Kaby Lake processor.

The information says “Update Intel ME for security vulnerabilities” so it looks like I’m covered.

When I built the PC back in July the motherboard only had the F2 BIOS (bought the board in April). Since then I’ve updated it to F6 then F7 and now F8. At least the BIOS updating is easy these days… just copy the BIOS files to a USB stick and update using Q-Flash.

Reply | Quote

Okay, thanks, I’ll keep checking the Gigabyte website. Maybe a BIOS update is coming for mine too. They were still selling it 18 months ago, so it’s not like they should consider it at EOL in terms of updates.

I’d still appreciate any clarification anyone can offer as to whether regular home users need to be concerned about this vulnerability. I did not understand the Intel documentation on the problem.

 

Reply | Quote

Here’s my take on this. Download and run the detection tool (use the link above in the post by Anonymous #146683). Towards the bottom of the output window you get from running the tool will be information on whether various “things” are present or enabled. Most of the “things” are acronyms for various services or drivers; if they are not present or not detected (indicated as such by the word “False”, usually), then you probably don’t have much to worry about. I think someone would need either physical access to you machine to turn these “things” on (or download a driver), or infect your machine with malware that would do it. Keep your machine physically safe and your antivirus updated. If you can get a firmware update from your computer manufacturer consider installing it. In my experience installing firmware is pretty dicey, but other more knowledgeable folks here may have other opinions.

A similar situation occurred last May. Google SA-00075 for details. (Google SA-00086 for the current issue.)

Anyone else have an opinion?

Reply | Quote

You know what is infuriating? Years ago, when I first saw this Intel ME and all its bunch of services, I wanted to disable it in the BIOS, as for me it was just a disaster waiting to happen, but on some BIOS, there was no way to do it. On one computer, I found at least that enabling the strictest EU standards for energy saving in the BIOS had the nice effect of preventing the computer from powering itself by a network activity.

Reply | Quote

HP has released the firmware update for their notebooks (I don’t know if they released them for all of the affected ones, but my laptop has the update on the driver downloads). The date of release (according to the Support Site) is October 17, 2017. This comes with firmware version 11.8.50.3390 (SVN 3) and the ME driver version 11.7.0.1043. There’s also an update to Intel’s Trusted Execution Technology as well.

Reply | Quote

I ran the detection tool on my Intel Core-i5 in my Intel NUC (kit-built a year ago).  I was vulnerable. (The tool can be run under Windows or Linux.) I tried one method to update the BIOS (really, the firmware) and it failed. So I tried a second method, and it ran. Restarted into Linux and ran the detection tool. I am now no longer vulnerable. Since this is a firmware update, Windows should also be covered by the same BIOS Update. So the problem is real, it can affect Skylake Processors, and it is fixable with not too much effort.

-- rc primak

1 user thanked author for this post.

johnf

Reply | Quote

According to this link …
https://www.howtogeek.com/56538/how-to-remotely-control-your-pc-even-when-it-crashes/ ,
both end-to-end computers have to be configured before an IT Admin is able to remotely manage the client-computer via Intel ME/AMT/vPro. So, it is mostly businesses who have configured this Intel Remote Management feature for their computers who are vulnerable to this bug if not patched quickly.
… AFAIK, most home-users do not use this feature and their affected Business-grade computers are not configured as such. So, even if unpatched, they are not vulnerable to the bug in Intel ME/AMT/vPro. Just to be sure, Intel ME/AMT/vPro should be disabled in BIOS Level -1 setup, ie by pressing Ctl+P.

Home-routers also have the Remote Management feature. So, home-routers should have their default Admin password changed, Remote Management disabled, WPS or WDS disabled, WPA2 Wifi encryption used and a strong Wifi password set.
… A bug in the router’s Remote Management feature will not be make it vulnerable to hackers if it has been configured as above. Of course, if you want to use the Remote Management feature, you should patched the bug quickly.
… The routers’ Remote Management feature is mainly for ISP staff to remotely troubleshoot problems with the router and its Internet connection, eg when requested by their customers.

Reply | Quote

Intel have now provided the critical firmware update to system/motherboard manufacturers, and updated links to those on Intel-SA-00086:
https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

 
A new opinion blog provides some insight into this year’s Intel ME vulnerabilities:
Potential impact of the Intel ME vulnerability
Nov. 27th, 2017

The big problem at the moment is that we have no idea what the actual process of compromise is. Intel state that it requires local access, but don’t describe what kind.
It’s also almost impossible to determine if a system is compromised.
So, overall, given what we know right now it’s hard to say how serious this is in terms of real world impact.

You can read the full article here

1 user thanked author for this post.

MrBrian

Reply | Quote

My Lenovos have started pushing the update automatically through Lenovo System Update. No other bloat added at the same time, just a clean firmware update. The user is warned an update is available through a Lenovo System Update message update that says it is critical. Great how seamless it is. Only problem is it could look like malware trying to scare you and you don’t need admin rights to approve the firmware update which could theoretically maybe make sysadmins unhappy. To me, I have good users, so they call and say what is happening and I can tell them to click do it so it doesn’t bother me.

2 users thanked author for this post.

MrBrian, Kirsty

Reply | Quote

My computer has this vulnerability. I have up to date firmware, but have also been considering whether to install the Intel Management Engine Interface driver in Windows – I’ve never installed it previously as I have no use for it. However, will installing it mean that I’ll be better able to protect my computer? Or will it be worse, in that it facilitates the IME in communicating with Windows, meaning that the IME could be used to attack Windows using some other future (or indeed, present but not yet discovered) flaw?

Reply | Quote

If you have no need for it, I would not install it. The IME has had vulnerabilities of its own.

2 users thanked author for this post.

Lori, woody

Reply | Quote

Thank you for your reply. Good advice which I’m happy to take. The only annoying thing about not having the IMEI driver installed is that without it, the SA-00086 Detection Tool can’t determine whether the computer is vulnerable.

Reply | Quote

My computer’s manufacturer has released an IME update, but my computer runs Windows 7 and their updater only runs in Windows 10.

Is there any other way I can install this update?

Reply | Quote

Wait until they release an IME update for Win7

Reply | Quote

Thank you for the response, PKCano. The update was issued a couple of months ago, and given that the computer was supplied with Windows 10, I’m not confident that they will make a further installer for Windows 7.

However, I’ve given it some thought overnight and realised that it’s possible to install Windows 10 on a USB flash drive, so I’m thinking I can do that and then boot to it as a one-off, just to run the IME update from there.

Reply | Quote

Just thought I’d add a postscript to my post of 14 March, in case anyone has the same problem. I couldn’t install the IME firmware update in Windows 7, because my computer manufacturer’s (HP) update only runs in Windows 10. To get round this, I downloaded a Windows 10 ISO, installed Windows To Go on a USB drive using Aoemi Partition Assistant (which itself needed Windows 10 so I had to make a VM – aaargh), then from the USB drive booted to Windows 10 and installed the IME update.

It’s not a job for the fainthearted though: there was a LOT of “Windows says no” and problem solving needed, although once there the IME update itself ran fine.

Tips for anyone attempting this:

I recommend using a 32GB+ USB drive. 16GB is marginal, as it’s almost completely full when Windows starts. If using a 16GB drive, you’ll probably need a second USB drive to install the IME update – mine was around 250MB, plus it needed another 250MB+ free on the original USB drive to extract/install itself into.

Disconnect from the internet and/or switch off Windows Update, to prevent the USB drive filling up and also slowing down (running Windows 10 from a USB flash drive is slow enough as it is).

When I booted Windows it started as Windows 10 S (not sure why), in which Defender prevents non-Windows Store programs running (I think I’m right in saying that). This was tricky to get around, as it’s impossible to switch to Defender off (you can’t even get into Regedit – Defender prevents it!). I had to activate it using my Windows 10 Pro key, and also boot in Troubleshooting mode to disable driver signature enforcement.

Reply | Quote

Update your INTEL-SA-00086 Detection Tool
By Gunter Born | June 16, 2018

 
If you are using the INTEL-SA-00086 Detection Tool to analyze the computer for vulnerabilities, you should update the tool. Older versions do not recognize certain vulnerabilities.
…It scans computers with Intel CPU and shows whether it has found vulnerabilities.

 
Read the full article here

2 users thanked author for this post.

amraybt, johnf

Reply | Quote

Intel issued several Security Advisories this week, which also included the SA-00086 Detection Tool. If you are using this, it again needs to be updated.

Another was for the Intel® Driver & Support Assistant and Intel® Software Asset Manager, which also need to be updated if you are using it.

1 user thanked author for this post.

Elly

Reply | Quote