Management Engine Critical Firmware Update (Intel-SA-00086)

BoraMurdar

Community Manager
Thread author
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
Intel® Management Engine (Intel® ME 6.x/7.x/8.x/9.x/10.x/11.x), Intel® Trusted Execution Engine (Intel® TXE 3.0), and Intel® Server Platform Services (Intel® SPS 4.0) vulnerability (Intel-SA-00086)

In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of the following with the objective of enhancing firmware resilience:
  • Intel® Management Engine (Intel® ME)
  • Intel® Trusted Execution Engine (Intel® TXE)
  • Intel® Server Platform Services (SPS)
Intel has identified security vulnerabilities that could potentially impact certain PCs, servers, and IoT platforms.

Systems using Intel ME Firmware versions 6.x-11.x, servers using SPS Firmware version 4.0, and systems using TXE version 3.0 are impacted. You may find these firmware versions on certain processors from the:
  • 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, and 8th generation Intel® Core™ Processor Families
  • Intel® Xeon® Processor E3-1200 v5 and v6 Product Family
  • Intel® Xeon® Processor Scalable Family
  • Intel® Xeon® Processor W Family
  • Intel Atom® C3000 Processor Family
  • Apollo Lake Intel Atom® Processor E3900 series
  • Apollo Lake Intel® Pentium® Processors
  • Intel® Pentium® Processor G Series
  • Intel® Celeron® G, N, and J series Processors
To determine if the identified vulnerabilities impact your system, download and run the Intel-SA-00086 Detection tool using the links below.

Available resources
Resources for Microsoft and Linux* users
Note Versions of the INTEL-SA-00086 Detection Tool earlier than 1.0.0.146 did not check for CVE-2017-5711 and CVE-2017-5712. These CVEs only affect systems with Intel® Active Management Technology (Intel® AMT) version 8.x-10.x. Users of systems with Intel AMT 8.x-10.x are encouraged to install version 1.0.0.146, or later. Installing this version helps to verify the status of their system with regard to the INTEL-SA-00086 Security Advisory. You can check the version of the INTEL-SA-00086 Detection Tool by running the tool and looking for the version information in the output window.
Resources from system/motherboard manufacturers

Note Links for other system/motherboard manufacturers will be provided when available. If your manufacturer is not listed, contact them for information on the availability of the necessary software update.
 
P

plat1098

I thought I would idly check, as this machine (I thought) was clean and just being curious. The Intel discovery tool wiped the little smirk right off my face. So, I am much obliged for this post, @BoraMurdar. Next patch coming up.

Intel discovery.jpg

Edit: Just checking after applying the ME firmware update courtesy of above Lenovo link.

intel post patch.jpg
 
Last edited by a moderator:

brambedkar59

Level 29
Verified
Top Poster
Well-known
Apr 16, 2017
1,869

BoraMurdar

Community Manager
Thread author
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
Here Intel® Product Security Center
Intel says that Intel® Core™ i7 processor (45nm and 32nm) are affected by the problem.
I have got a 7700K which is 14 nm.
Am I affected by the problem?
Please download Download Intel-SA-00086 Detection Tool , run the program (GUI version) and it will tell you if your system is vulnerable or not
So, when is INTEL going to release patches to fix the problem? As an end user I would like to know that
Your motherboard manufacturer should have already released the firmware patch.
 

brambedkar59

Level 29
Verified
Top Poster
Well-known
Apr 16, 2017
1,869
This may be a silly question, does Intel® Management Engine needs to be enabled? My BIOS for ASUS z97-C was updated 2 years ago (unless my MB never had the feature to start with....
Intel ME is shipped & enabled by default on all CPU since 2008 or something. It's of no use to us home users. Enterprise customers can ask Intel for it to be disabled but no such luck for us consumers. There is a hack available for disabling ME but it's too risky, I wouldn't even try that.
As you already posted earlier that your system has been patched and therefore not vulnerable, so I wouldn't worry about that, for now.:devil:
 

Danielx64

Level 10
Verified
Well-known
Mar 24, 2017
481
Intel ME is shipped & enabled by default on all CPU since 2008 or something. It's of no use to us home users. Enterprise customers can ask Intel for it to be disabled but no such luck for us consumers. There is a hack available for disabling ME but it's too risky, I wouldn't even try that.
As you already posted earlier that your system has been patched and therefore not vulnerable, so I wouldn't worry about that, for now.:devil:
Yeah I just find it strange that someone with a newer CPU/System is affected but i'm not.
 

Vasudev

Level 33
Verified
Nov 8, 2014
2,224
Intel ME is shipped & enabled by default on all CPU since 2008 or something. It's of no use to us home users. Enterprise customers can ask Intel for it to be disabled but no such luck for us consumers. There is a hack available for disabling ME but it's too risky, I wouldn't even try that.
As you already posted earlier that your system has been patched and therefore not vulnerable, so I wouldn't worry about that, for now.:devil:
Its a knock-off version of Skynet and if one can get the correct ports then your machine can accept requests from a hacker.
I suggest to update the ME FW ASAP.
My PC isn't patched because Dell decided to lock out the firmware update locally. SO, I need official BIOS from Dell to unlock it.
 
  • Like
Reactions: brambedkar59

Vasudev

Level 33
Verified
Nov 8, 2014
2,224
Here Intel® Product Security Center
Intel says that Intel® Core™ i7 processor (45nm and 32nm) are affected by the problem.
I have got a 7700K which is 14 nm.
Am I affected by the problem?
Yeah you're affected by SA00088. First option is to update W10/8.1/7 to latest build.
The microcode is being worked on by intel and isn't released publicly.
You can see the link stating intel-microcode (3.20171215.1) as unstable and isn't tested extensively and even Intel website has older version.
If your OEM doesn't update microcode, you can use VMware CPU microcode updater tool to manually patch ucode that is semi-permanent meaning when you clean install OS it will be removed. But it should fix the security issue by booting the new uCode on every W10 boot process.
I will update the tool once new uCodes are out. I will notify you once the OP update the links. [WARNING] Intel Skylake/Kaby Lake processors: Broken HT on Laptops & PC [Fix is here]
 

brambedkar59

Level 29
Verified
Top Poster
Well-known
Apr 16, 2017
1,869
Its a knock-off version of Skynet and if one can get the correct ports then your machine can accept requests from a hacker.
I suggest to update the ME FW ASAP.
My PC isn't patched because Dell decided to lock out the firmware update locally. SO, I need official BIOS from Dell to unlock it.
Lol, skynet:LOL:. Nice analogy there, I know it's scary.
Asus is planning an update in Jan18 for my Laptop.

Yeah you're affected by SA00088. First option is to update W10/8.1/7 to latest build.
The microcode is being worked on by intel and isn't released publicly.
You can see the link stating intel-microcode (3.20171215.1) as unstable and isn't tested extensively and even Intel website has older version.
If your OEM doesn't update microcode, you can use VMware CPU microcode updater tool to manually patch ucode that is semi-permanent meaning when you clean install OS it will be removed. But it should fix the security issue by booting the new uCode on every W10 boot process.
I will update the tool once new uCodes are out. I will notify you once the OP update the links. [WARNING] Intel Skylake/Kaby Lake processors: Broken HT on Laptops & PC [Fix is here]
Any issues with Win10 FCU, UEFI or ThrottleStop that I should know of?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top