Processors
Intel® Processors, Tools, and Utilities
14395 Discussions

Intel-SA-00086

TNils
Beginner
5,395 Views

Hello

Regarding Intel-SA-00086

If the manufacturer of the motherboard does not provide a patch for this bug, what can be done?

From what I understand, firewalling does not help to protect from a hacker gaining access, but would it help with an external firewall/router?

Intel-SA-00086
0 Kudos
23 Replies
idata
Employee
1,956 Views

Hi 4meBeach,

 

 

I understand the motherboard maker still has not provided an update to fix the Intel SA-00086. I am sorry for the inconvenience.

 

 

Please bear in mind that Intel has addressed this problem making an update available to equipment manufacturers. If you already consulted with your motherboard maker, I recommend checking with the board manufacturer for further updates for your computer model.

 

 

Until the appropriate firmware update is applied, Intel highly recommends that system owners follow good security practices and ensure that potentially impacted systems are physically secured if possible.

 

 

Regards,

 

Allan J.

 

0 Kudos
TNils
Beginner
1,956 Views

Hi Allan

Thanks for your response.

Its not that they have not provided an update, its that they seem to not care to make one at all even tho I've contacted them and provided them with several links to Intels web page for more information on the bug. The computers it regards are OEM from China, company named HYSTOU.

My question remains, if its possible to protect against these bugs with an external firewall? If you know?

I just bought two new computers from them, both vulnerable according to the Intel python scripts. So it kind of sucks if I now have tothrow these away just because of this bug. Several hundred of dollars down the drain if there is no way of stopping an attacker.

0 Kudos
n_scott_pearson
Super User
1,956 Views

Well Tony, I hope that you are screaming your displeasure with this vendor, who is obviously callous and completely uninterested in the security of the systems sold, every place that you can (including to them). Your opinion matters and, if you scream loud enough, long enough and widely enough, people will hear and start to avoid using this vendor's products as a result. The vendor will eventually get the message and address this bad attitude...

If you have a good firewall between your subnet and the internet, a direct attacker won't be able to see that your systems even exists, let alone attack them. Still, most attacking software is loaded indirectly, not directly. In most cases, you actually invite this software into your systems though poor practices on your own part (visiting nefarious web sites, downloading software without verifying location or content, etc.). Make sure you are careful and make sure that you are always running a good internet protection package (like Norton, McAfee, etc.).

...S

0 Kudos
TNils
Beginner
1,956 Views

Hey Scott

Yes, I'm still trying to get them to understand the importance of this update. I have as well contacted Aliexpress where their products are sold and asked the support to get in contact with the engineers of this company or someone higher up that m take it more seriously, but if they will have any better luck with it remains to be seen- but I doubt it.

I feel obligated to post the manufacturers name (HYSTOU) in case this page shows up in any search result on Google should anyone be so smart to do a bit of research before buying from them. Should they get back to me with a patch, I'll be sure to update this thread again clearing their name.

Thank you for clarifying this regarding firewalling and the risks associated with it.

0 Kudos
TNils
Beginner
1,956 Views

I have a follow up question regarding these found bugs.

Its stated here: https://www.intel.com/content/www/us/en/support/articles/000025619/software.html Intel® Management Engine Critical Firmware Update (Intel-SA-00086)

That the functions affected by these bugs are:

  • Intel® Management Engine (Intel® ME)
  • Intel® Trusted Execution Engine (Intel® TXE)
  • Intel® Server Platform Services (SPS)

So, when looking at the specifications for i3 7100U & N3050 CPUs, there is no mention of Management Engine nor of Server Platform Services, and for Trusted Execution Engine the specifications says 'no'. Does it mean that in these particular cases, the bugs does not affect these CPUs even tho its in the generation of CPUs that normally would have been effected?

N3050
0 Kudos
n_scott_pearson
Super User
1,956 Views

Speculating is a waste of time. Run the tool and see if it says you are vulnerable. If it says you are not, then you have nothing to worry about. If it says you are, then you need to get a BIOS update from your board manufacturer that contains the fix for the vulnerability.

...S

P.S. The embedded processors family (those ending in U) have a version of the Chipset (PCH) component embedded in their SOC. This PCH will contain those microcontrollers necessary for the capability set offered by the SOC. As far as I know, the ME is always included. It is the ME interface that is used for communicating with these microcontrollers and it is the ME interface that contains the vulnerability.

TNils
Beginner
1,956 Views

Well, speculating is not a waste of time when they won't provide an update. I would prefer to not have to buy a new set of computers.

0 Kudos
n_scott_pearson
Super User
1,956 Views

It most certainly is! Run the tool and you will know (that's why it was provided!).

...S

0 Kudos
TNils
Beginner
1,956 Views

Yes Scott, I did of course run the tool (why I'm posting here). The tool says for two out of three computers here "Detection Error: This system may be vulnerable". But what does "may" mean? I read up further on the bug, and it seems that the biggest would be the web interface accessible through port 16992 (source https://www.blackhat.com/docs/us-17/thursday/us-17-Evdokimov-Intel-AMT-Stealth-Breakthrough-wp.pdf https://www.blackhat.com/docs/us-17/thursday/us-17-Evdokimov-Intel-AMT-Stealth-Breakthrough-wp.pdf ). To my knowledge this web interface does not exist on either of these computers, at least not what I can access through my browser. I know from the PDF that the bug can still be exploited through local software, but my main concern would be access through the web.

So to judge from this PDF, if port 16992 is blocked by external firewall, this would at least stop any remote attempt on exploiting this bug?

0 Kudos
TNils
Beginner
1,956 Views

** bump **

0 Kudos
n_scott_pearson
Super User
1,956 Views

Hhmmm, sorry Tony, I thought I responded to this conversation, but my response doesn't appear to be here. What I said - and knowing me, probably in a much more verbose fashion - was essentially: don't count on it. While the port may be blocked from external accesses, most attacks happen internally. That is, attacking software gets onto a system through some means (phishing, web access, etc.) and, if activated, can then attack any system on the subnet. Bottom line, you want to continue to push the board manufacturer to provide an updated firmware (BIOS) package that includes the fixes for this issue.

...S

0 Kudos
TNils
Beginner
1,956 Views

Follow up question:

I updated my microcode under Linux. Does this solve this particular bug?

0 Kudos
n_scott_pearson
Super User
1,956 Views

No, absolutely not! The SA-00086 vulnerabilities are in the firmware for the Management Engine. The only way to address these vulnerabilities is with updated ME firmware. Further, since the location of the ME firmware within the Firmware Hub is controlled by the BIOS designer, Intel cannot provide a generic update package for this firmware. As a result - and also because the ME firmware is bundled with the BIOS firmware - you need a BIOS update to get this firmware.

...S

0 Kudos
n_scott_pearson
Super User
1,956 Views

Update: another Intel Management Engine (ME) vulnerability, specific to Intel Active Management Technology (AMT), was reported today...

This vulnerability exists because of the way that the ME BIOS Extension (MEBx) is invoked by the BIOS. In a physical access scenario, it will allow someone access to the ME configuration regardless of BIOS password. If the password for AMT has not been changed by the system owner (or their IT department), then an attacker could take over control of AMT, set it up for remote access and then change the password (locking out the owner). The attacker would then remotely access the machine and have access to anything they want (the ultimate leaky machine).

The fix for this issue is to implement support, within the BIOS, so that MEBx cannot be invoked unless the BIOS Administrative password is provided.

All users who have vPro-enabled PCs, should (1) ensure that they set the AMT Password and (2) ensure that they set a BIOS Administrative Password. Having the AMT password set will protect against this vulnerability until a BIOS update delivers a fix for this vulnerability.

For vPro-enabled systems, when you combine the original AMT vulnerabilities (INTEL-SA-00075, announced back in May) with INTEL-SA-00086 (ME vulnerabilities announced back in November), INTEL-SA-00088 (Meltdown and Spectre) and this new vulnerability, the only way that they can all be completely addressed is via a BIOS that delivers a fix for this vulnerability, the appropriate microcode update (for INTEL-SA-00088) and updated ME firmware (for INTEL-SA-00086).

For non-vPro systems, which are not affected by INTEL-SA-00075 nor by this new vulnerability, you *still* need a BIOS update that delivers the appropriate microcode update (for INTEL-SA-00088) and updated ME firmware (for INTEL-SA-00086).

Folks have asked about disabling the ME. The ME cannot be completely disabled because part of its functionality is processor initialization. It can be stopped from running after this initialization is complete, however. Intel has warned that, because the ME vulnerabilities are present in the processor initialization functionality, disabling the ME does not alleviate the need for the ME firmware fixes for INTEL-SA-00086; you are thus going to need an updated BIOS providing the updated firmware no matter what. Intel has also warned that, depending upon the method used, this can be a permanent operation. Cleanly disabling the ME is only possible if the BIOS actually provides support for doing exactly this. For folks interested in this capability, you will most likely need an updated BIOS to get this capability (unless support for the HAP program already exists in the BIOS; see http://www.zdnet.com/article/researchers-say-intels-management-engine-feature-can-be-switched-off/ here for more information). If you have this capability and you disable the ME, all included and dependent technologies (there is a long list) will also be disabled.

Hope this explains things fully. It is becoming a dizzying nightmare...

...S

0 Kudos
JOver1
Beginner
1,956 Views

Scott:

I am not exactly understanding the inclusion of the below statement in the article in the link that you posted.

Update - Intel has told ZDNet: "Intel does not and will not design backdoors for access into its products. Recent reports claiming otherwise are misinformed and blatantly false. Intel does not participate in any efforts to decrease security of its technology."

Am I misunderstanding all this or is IME combined with AMT exactly the thing that the above statement claims they (Intel) won't do ? Are they saying that because they are providing the technology to computer manufacturers who are then IMPLEMENTING it ?

Thanks.

0 Kudos
JOver1
Beginner
1,956 Views

"It is becoming a dizzying nightmare..."

As my dear departed dad used to say, That hit the nail right on the head.

It has for a long time become my personal opinion that anyone who uses any electronic device for

doing anything that might be of a confidential nature is a # $)# (@(@ - fool !!!

0 Kudos
JOver1
Beginner
1,956 Views

Scott:

Is there a possibility that there may ALREADY be some "parameter" within the extended BIOS settings of my computer

which would accomplish the "reserve_hap" flag setting, thus disabling ME ?

The reason I ask is because when I disabled the Intel ME control state parameter then when the computer rebooted

the function which controls the fan speed, etc. was no longer working, i.e. the fan was on full speed which made the

machine much louder than normal (there is a parameter related to this in my extended BIOS.

I ask this even though the description of the ME control state parameter in the writeup I found on the Internet suggests

that changing that parameter does NOT actually disable the IME.

Thanks.

0 Kudos
n_scott_pearson
Super User
1,956 Views

These idiots are screaming for more transparency. Intel will not give them that under any circumstances; it is against Intel policies to do so. The ME (and AMT) are closed systems for a darned good reason: security requires it. They say how can Intel be trusted if they cannot look at the code? Well, Intel regularly has the code properly audited by external agencies. Intel tightly controls who it is that performs these audits because this is the way it has to be if security is to be kept. In addition to this being so critical to security, it is also important to Intel because the ME is IP. They are going to naturally want to minimize the people seeing the code. IMHO, those that are screaming the loudest are the ones that are not knowledgeable enough (or disciplined enough) about security practices to ever be considered for access to the source.

It is unfortunate that these vulnerabilities exist and that there are ways for these vulnerabilities to be exploited to open back doors. This certainly wasn't on purpose. The right answer is to close the vulnerabilities, not overreact and do something stupid like disable the ME. Actually, the better right answer is to not create these vulnerabilities in the first place, but Intel missed the boat on that. Oops, there I go being unfair in retrospect in my retirement. The fact is, for a number of years I was part of the teams working on the ME (I owned Intel Quiet System Technology (QST)), I took part in many security reviews and I missed these vulnerabilities just like the rest of them did, so shame on me too.

...S

0 Kudos
n_scott_pearson
Super User
1,768 Views

Is there a chance you have a system with HAP support in the BIOS? Yea, its possible, but I don't know enough about it to be able to tell you how.

...S

0 Kudos
n_scott_pearson
Super User
1,768 Views

Wait a minute. You lost FSC? How old is your system? They kicked QST out of the ME after the 5 Series chipset. It your system is that old, I would be more inclined to doubt that there is any chance of support for HAP being present.

...S

0 Kudos
Reply