Tuesday, November 21st 2017

Researchers Find Glaring Intel ME Security Flaws, Company Outs Detection Tool

Security researchers have found glaring security flaws with Intel Management Engine, the on-chip micro SoC that, besides governing the functionality of the processor, provides on-chip management and security features. These security flaws render "potentially millions" of PCs and notebooks, based on Intel processors, according to the researchers. Intel on Monday released a Detection Tool application that lets you identify vulnerabilities in the Management Engine of your Intel processor-powered PC, and suggests updates to Intel Management Engine drivers, or points to BIOS updates from your PC manufacturer.

Updates to Intel ME are specific to TXE 3.0 (trusted execution engine version 3.0), which is featured on processors based on "Skylake," "Kaby Lake," and "Coffee Lake" micro-architectures, across client- and enterprise market segments, and Atom processors released in the past three years. Intel chronicled this security flaw further under Security Advisory 86, and released the SA-00086 Detection Tool.

Source: Wired
Add your own comment

45 Comments on Researchers Find Glaring Intel ME Security Flaws, Company Outs Detection Tool

#1
eidairaman1
The Exiled Airman
Microcode updates would be best, but this proves intel isn't perfect like most here claim them to be
Posted on Reply
#2
GoldenX
ME is a joke, a really bad one, it really should be illegal.
Posted on Reply
#3
R0H1T
GoldenX said:
ME is a joke, a really bad one, it really should be illegal.
Yes but tbf to Intel we don't know whether this perpetual backdoor (ME) was put in at the behest of CIA or NSA?
Posted on Reply
#4
Totally
R0H1T said:
Yes but tbf to Intel we don't know whether this perpetual backdoor (ME) was put in at the behest of CIA or NSA?
That puts them in an even more bad light, that hypothetical interaction should have gone like this

CIA or NSA: "Hey Intel, can you put this backdoor on your chips so we can exploit it for reasons and stuff?"
Intel: "No."
Posted on Reply
#5
R0H1T
Totally said:
That puts them in an even more bad light, that hypothetical interaction should have gone like this

CIA or NSA: "Hey Intel, can you put this backdoor on your chips so we can exploit it for reasons and stuff?"
Intel: "No."
Well that's not how national security works, not after 9/11 & in many places around the world.
Posted on Reply
#6
GoldenX
Funny choice of words, for describing violation of the right to privacy, when did the USA turn into the Soviet Union?
A 1984's Telescreen for everyone.
Posted on Reply
#8
SaltyFish
btarunr said:
Updates to Intel ME are specific to TXE 3.0 (trusted execution engine version 3.0), which is featured on processors based on "Skylake," "Kaby Lake," and "Coffee Lake" micro-architectures, across client- and enterprise market segments, and Atom processors released in the past three years. Intel chronicled this security flaw further under Security Advisory 86, and released the SA-00086 Detection Tool.
So... everything from Core 2 to Broadwell is out of luck. It seems like it affects all iterations of Intel ME but only the recent CPUs are getting a fix, no?
Posted on Reply
#9
Micro
My server seems OK without needing a fix or update.

Posted on Reply
#10
Ferrum Master
Micro said:
My server seems OK without needing a fix or update.


You have an older platform. The tool doesn't check them at all IMHO.

Systems using Intel ME Firmware versions 11.0.0 through 11.7.0, SPS Firmware version 4.0, and TXE version 3.0 are impacted. You may find these firmware versions on certain processors from the:
  • 6th, 7th, and 8th generation Intel® Core™ Processor Family:
  • Intel® Xeon® Processor E3-1200 v5 and v6 Product Family
  • Intel® Xeon® Processor Scalable Family
  • Intel® Xeon® Processor W Family
  • Intel Atom® C3000 Processor Family
  • Apollo Lake Intel Atom® Processor E3900 series
  • Apollo Lake Intel® Pentium® Processors
  • Intel® Celeron® N and J series Processors
The question is open, whether some exploit in similar manner exists for older platforms.
Posted on Reply
#12
GreiverBlade
seriously ...


oh well .... (actually that's also a reminder that my OS is in French while i hate it .... i need to remedy to that asap ..., that and also getting a X370 rig to go with the Win10 En i will need later .... good news .... i can sell 1 of my HDD with a clean Win10 on it alongside mobo/RAM/CPU to increase resell value .... mhhh i should put it all in my AIR540 and put it on sale ... might even put my actual PSU to make it go a little further ... upgrade time is getting real .... thanks Intel :D )
Posted on Reply
#13
ShurikN
Couldn't we get a link in the article to the correct IME driver download.
Posted on Reply
#14
TheTechGuy1337
Ferrum Master said:
You have an older platform. The tool doesn't check them at all IMHO.

Systems using Intel ME Firmware versions 11.0.0 through 11.7.0, SPS Firmware version 4.0, and TXE version 3.0 are impacted. You may find these firmware versions on certain processors from the:
  • 6th, 7th, and 8th generation Intel® Core™ Processor Family:
  • Intel® Xeon® Processor E3-1200 v5 and v6 Product Family
  • Intel® Xeon® Processor Scalable Family
  • Intel® Xeon® Processor W Family
  • Intel Atom® C3000 Processor Family
  • Apollo Lake Intel Atom® Processor E3900 series
  • Apollo Lake Intel® Pentium® Processors
  • Intel® Celeron® N and J series Processors
The question is open, whether some exploit in similar manner exists for older platforms.
I wonder if that is true for older generations not getting the fix? They could be excluding them without saying anything about them.
Posted on Reply
#15
Ferrum Master
TheTechGuy1337 said:
I wonder if that is true for older generations not getting the fix? They could be excluding them without saying anything about them.
Nobody knows, speculation. Imho there should be a simple flip switch in bios that turns it of as a module, just like TPM or other mojo things. Especially when sending the device to legacy.
Posted on Reply
#16
GreiverBlade
Intel Management Engine Interface
(Note) Please installing Microsoft Hot fix first, if operation system is Windows 7.
[11.6.0.1030]
4.43 MB
2016/12/26

awwww crap ....
ShurikN said:
Couldn't we get a link in the article to the correct IME driver download.
well at last it's not on Gigabyte support for my GA-Z170X-Gaming 7
Posted on Reply
#17
ShurikN
GreiverBlade said:
Intel Management Engine Interface
(Note) Please installing Microsoft Hot fix first, if operation system is Windows 7.
[11.6.0.1030]
4.43 MB
2016/12/26

awwww crap ....

well at last it's not on Gigabyte support for my GA-Z170X-Gaming 7
I just found out that Intel will not be releasing a fix on their site. We should look elsewhere (mobo makers and oems)
Posted on Reply
#18
GreiverBlade
ShurikN said:
I just found out that Intel will not be releasing a fix on their site. We should look elsewhere (mobo makers and oems)
it's already written in their apps and in that article that it should be on the manufacturer website, if updated, so ... really no need to check with Intel ... they don't really care imho :laugh:
Posted on Reply
#19
Tomorrow
Yep this requires a new BIOS version to fix since BIOS is what has the ME Firmware. Unfortunately ME Firmware can't be updated separately and thus Intel can't provide the fix.
And good luck waiting for manufacturers providing this fix for older 6th gen processors. Especially on lower end boards.

Technicly it's possible to cobble together your own version by integrating the latest ME Firmware to your BIOS and then flashing it (link above) but it's fairly technical and if you mess it up you could brick your board.
Posted on Reply
#20
Ferrum Master
Tomorrow said:
Unfortunately ME Firmware can't be updated separately and thus Intel can't provide the fix.
Actually you can using intel provided ME tools from DOS or windows. I've done it...
Posted on Reply
#21
cadaveca
My name is Dave
Remember that news article a little while ago about what OS the ME used? Now you know why it was relevant and important, and why the news came out when it did, after so many years and product generations of Intel products having ME implemented in this way.


Even new systems are affected:




This is actually a pretty serious issue, IMHO. Expect nearly anything released by Intel in he last 5-8 years to need a BIOS update.

And yes, the ME can be updated separately formt the BIOS itself. Some obards even offer the ability to update either part on it's own, while some boards only update both, and some do it separately, but never tell you...
Posted on Reply
#22
Ferrum Master
cadaveca said:
This is actually a pretty serious issue, IMHO. Expect nearly anything released by Intel in he last 5-8 years to need a BIOS update.
You are just showing off your i9, aren't you? :laugh:
Posted on Reply
#23
Tomorrow
Who runs 7980XE on Win10 Home?

Pro version atleast buddy.
Posted on Reply
#24
DRDNA
Tomorrow said:
Who runs 7980XE on Win10 Home?

Pro version atleast buddy.
Whats the benefit there buddy? Seriously?
Posted on Reply
#25
StrayKAT
DRDNA said:
Whats the benefit there buddy? Seriously?
Not as much as there used to be.
Posted on Reply
Add your own comment