Did i update my ME firmware right? Zombieload, etc...

[Leoplate25]

Hi, i have an i5-9600k. I updated my ASUS Hero XI WiFI BIOS to the last revision (1005), i installed the last cumulative update from Microsoft, and i think i installed the latest firmware and drivers for the Manage Engine. Can you tell me if i'm good to go (except for the microcode that it's not released yet)?

Here's my ME info:


BIOS Version 1005
MEBx Version 0.0.0.0000
GbE Version 0.5
Descriptor Version 1.0
Vendor ID 8086
FW Version 12.0.35.1427 H Consumer
LMS Version 1846.12.0.1173
MEI Driver Version 1912.12.0.1247

And here's my Poweshell script of the patch status:


Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: False

Speculation control settings for CVE-2018-3639 [speculative store bypass]

Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is enabled system-wide: True

Speculation control settings for CVE-2018-3620 [L1 terminal fault]

Hardware is vulnerable to L1 terminal fault: False

Speculation control settings for MDS [microarchitectural data sampling]

Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: True
Windows OS support for MDS mitigation is enabled: False

BTIHardwarePresent : True
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : True
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
BTIKernelRetpolineEnabled : False
BTIKernelImportOptimizationEnabled : False
KVAShadowRequired : False
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : True
L1TFHardwareVulnerable : False
L1TFWindowsSupportPresent : True
L1TFWindowsSupportEnabled : False
L1TFInvalidPteBit : 0
L1DFlushSupported : True
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : True
MDSWindowsSupportEnabled : False

I hope someone read this and tell me if i do everything right (except the microcode update that it is not released yet by Intel). Thanks!

 

[R-T-B]

The management engine is not related to the MDS vulnerabilities. Updating it doesn't do much except provide them with fixes for bugs in it and possibly, older security breaches (there haven't been any reported for a while, 1 year at least).

You want to update your CPU microcode. The best thing to do is wait for a bios update from your motherboard manufacturer.

 

[Leoplate25]

The management engine is not related to the MDS vulnerabilities. Updating it doesn't do much except provide them with fixes for bugs in it and possibly, older security breaches (there haven't been any reported for a while, 1 year at least).

You want to update your CPU microcode. The best thing to do is wait for a bios update from your motherboard manufacturer.

Hi, and thanks for your answer. In the ASUS website for my motherboard, you have a download in the BIOS section for the ME and it says this:

Version 12.0.35.1427
2019/05/14

MEUpdateTool
Intel has identified security issue that could potentially place impacted platform at risk.
Use ME Update tool to update your ME.
*We suggest you update ME Driver to the latest Version 12.0.35.1427 simultaneously.

 

[R-T-B]

That's a (late) patch / response to the last ME vulnerability I am aware of.

You've done everything you can for now.

 

[Leoplate25]

That's a (late) patch / response to the last ME vulnerability I am aware of.

You've done everything you can for now.

I'll wait for the microcode update. Same as you. I see you have a 9900k. Thanks!!!

 

[R-T-B]

I'll wait for the microcode update. Same as you. I see you have a 9900k. Thanks!!!

No prob. I'm pretty on top of this stuff and you are doing everything right so far. Fortunately no in the wild exploits have been detected yet, because firmware updates may take a tad bit.

 

[FYFI13]

Hang on, so CPUs without hyperthreading are affected as well?

 

[Leoplate25]

Hang on, so CPUs without hyperthreading are affected as well?

Yes! Every cpu from 2011 till today.

 

[StefanM]

Can you tell me if i'm good to go

You can check the status of the management engine with the Intel CSME Detection Tool

 

[R-T-B]

Hang on, so CPUs without hyperthreading are affected as well?

Yes. It's tougher to exploit there (which is why intel tells unmitigated users to turn it off) but you certainly can exploit it there too if local code is run with enough time to work.

 

[Leoplate25]

You can check the status of the management engine with the Intel CSME Detection Tool

Can anyone tell me if i am missing something apart from the MDS vulnerabilities? If so, how to do it. Thanks!

 

[R-T-B]

MDS tools confuses me too. Thats' about where I am minus MDS and I supposedly know what I'm doing.

I wouldn't fret it.

 

[Leoplate25]

MDS tools confuses me too. Thats' about where I am minus MDS and I supposedly know what I'm doing.

I wouldn't fret it.

Are we in the same situation? Same vulnerabilities shown in the mdstool?

EDIT: Direct and indirect branchs and speculative store bypass are MDS vulnerabilities too?

 

[R-T-B]

Are we in the same situation? Same vulnerabilities shown in the mdstool?

EDIT: Direct and indirect branchs and speculative store bypass are MDS vulnerabilities too?

Pretty much, yes. I have more on L1TF vulnerabilities but I'm guessing your chip is a different stepping that had that fixed.

 

[Leoplate25]

Pretty much, yes. I have more on L1TF vulnerabilities but I'm guessing your chip is a different stepping that had that fixed.

Then, with the microcode update, direct and indirect branch, spec store bypass and the micro-architechtural data sampling should be fixed? I hope so!!

 

[R-T-B]

Then, with the microcode update, direct and indirect branch, spec store bypass and the micro-architechtural data sampling should be fixed? I hope so!!

Direct branching I'm not even sure what it is, possible it's some other vulnerability that isn't even worth fixing because it wasn't very exploitable. I think the MDS stuff should be fixed though, yes, when microcode finally gets out that covers everything. It may be this tool will still list it as vulnerable but with a "mitigation available" flag or something. Hard to say because I have yet to well, see it.

 

[Leoplate25]

Direct branching I'm not even sure what it is, possible it's some other vulnerability that isn't even worth fixing because it wasn't very exploitable. I think the MDS stuff should be fixed though, yes, when microcode finally gets out that covers everything. It may be this tool will still list it as vulnerable but with a "mitigation available" flag or something. Hard to say because I have yet to well, see it.

Full of vulnerabilities, f*ck, haha! Do Ryzen chips have vulnerabilities too or they are just safe?

 

[R-T-B]

Full of vulnerabilities, f*ck, haha! Do Ryzen chips have vulnerabilities too or they are just safe?

Spectre class vulnerabilities affect them but they are largely patched/mitigated by now.

I would not say they are safer, just less researched. But the truth is these vulnerabilities are way less scary than the media makes them out to be. Stick to best practices when browsing the web and there isn't much they can reasonably do (yet).

 

[Leoplate25]

Spectre class vulnerabilities affect them but they are largely patched/mitigated by now.

I would not say they are safer, just less researched. But the truth is these vulnerabilities are way less scary than the media makes them out to be. Stick to best practices when browsing the web and there isn't much they can reasonably do (yet).

Ok, thanks! You were very helpful. Others just ignore me, ha! Let's wait for the BIOS update and that is it. Have a good night/day!

EDIT: I'll come back to you when the microcode is released.

 

[Leoplate25]

Spectre class vulnerabilities affect them but they are largely patched/mitigated by now.

I would not say they are safer, just less researched. But the truth is these vulnerabilities are way less scary than the media makes them out to be. Stick to best practices when browsing the web and there isn't much they can reasonably do (yet).

Hi, man! How are you?? I updated to Windows 10 buil 1903 and i updated the microcode via Windows Update. The thing is, these values changed from false (secure) to true (vulnerable):

BTIKernelImportOptimizationEnabled: True
KVAShadowRequired: True
KVAShadowWindowsSupportEnabled: True
KVAShadowPcidEnabled: True
L1TFHardwareVulnerable: True

How can i be secure again? How can i "turn" them into false again?

 

[R-T-B]

Hi, man! How are you?? I updated to Windows 10 buil 1903 and i updated the microcode via Windows Update. The thing is, these values changed from false (secure) to true (vulnerable):

BTIKernelImportOptimizationEnabled: True
KVAShadowRequired: True
KVAShadowWindowsSupportEnabled: True
KVAShadowPcidEnabled: True
L1TFHardwareVulnerable: True

How can i be secure again? How can i "turn" them into false again?

I have been trying to interpret the MDS tool for some time. It's confusing, how it marks things. I've just about got it figured out but the short version for you is that is just telling you those above mitigations were turned on by windows. They won't affect your security.

The exception being L1TFHardwareVulnerable. I initially was immune to this but at some point a build update made me claim vulnerable as well. Fortunately mitigations for that vulnerability are already in Windows and I can only assume an MDSTool update changed how they detect it.

tl:dr: MDSTool is confusing, and they really need to make it more readable. If you post a screenshot I can confirm that you are as uptodate as me, which I'd say is "secure."

 

[advanced3]

You have a better chance of being struck by lightning....3 times in a row, than being affected by any of these "exploits".

 

[R-T-B]

Just made this. See this infographic. May help understand the tool. Taken from my 9900k on 1903.

You have a better chance of being struck by lightning....3 times in a row, than being affected by any of these "exploits".

MDS is more dangerous than past ones. This is a dangerous mindset given it's abilities and I we are trying to help users who want to stay secure here, not parrot misinformation. Just because we haven't seen in the wild exploits yet is no reason to try to avoid security. Thanks.

 

[Leoplate25]

I have been trying to interpret the MDS tool for some time. It's confusing, how it marks things. I've just about got it figured out but the short version for you is that is just telling you those above mitigations were turned on by windows. They won't affect your security.

The exception being L1TFHardwareVulnerable. I initially was immune to this but at some point a build update made me claim vulnerable as well. Fortunately mitigations for that vulnerability are already in Windows and I can only assume an MDSTool update changed how they detect it.

tl:dr: MDSTool is confusing, and they really need to make it more readable. If you post a screenshot I can confirm that you are as uptodate as me, which I'd say is "secure."

You have a better chance of being struck by lightning....3 times in a row, than being affected by any of these "exploits".

Thanks both of you. Now i'm getting another issue. A BSOD: critical structure corruption. It happened twice since i installed Build 1903. What can it be?

 

[R-T-B]

Thanks both of you. Now i'm getting another issue. A BSOD: critical structure corruption. It happened twice since i installed Build 1903. What can it be?

That's an interesting one. It doesn't sound like an exploit related issue though. I'd take that to a seperate thread as it could be anything from a bad overclock, unstable ram/ram profile, to a OS upgrade gone bad.

The users here will be happy to help you in a seperate topic, though!