Choose style:

Author Topic: Critical Flaws in Intel Processors Leave Millions of PCs Vulnerable, 21-NOV-2017  (Read 3493 times)

0 Members and 1 Guest are viewing this topic.

Offline VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5241
  • Karma: 940
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Good ol' Swati   :)

SOURCE #1 (her article): https://goo.gl/HYkUNu

Quote
In past few months, several research groups have uncovered vulnerabilities in the Intel remote administration feature known as the Management Engine (ME) which could allow remote attackers to gain full control of a targeted computer.

Now, Intel has admitted that these security vulnerabilities could "potentially place impacted platforms at risk." [...]

As long as the system is connected to a line power and a network cable, these remote functions can be performed out of band even when the computer is turned off as it operates independently of the operating system.



I always stay a couple of generations behind 'the curve'. But if you're running the latest n' greatest Intel CPU, you might want to check your machine for vulns.


SOURCE #2 (Linux & winders detection tool): https://goo.gl/Yq6cx4

I just checked this Dell i5 desktop box. Whew...

Spoiler (click here to view / hide)
╭─vindsl@Boogaloo-5 /mnt/58328914-6c59-4abf-99cb-9feb196df4e3/Downloads 
╰─➤  sudo ./intel_sa00086.py                                               11 ↵
[sudo] password for vindsl:
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.128
Scan date: 2017-11-26 18:19:49 GMT

*** Host Computer Information ***
Name: Boogaloo-5
Manufacturer: Dell Inc.
Model: OptiPlex 7010
Processor Name: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
OS Version: Peppermint 7 xenial (4.13.0-18-generic)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 8.1.65.1586
SVN: 0

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is not vulnerable.

For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

╭─vindsl@Boogaloo-5 /mnt/58328914-6c59-4abf-99cb-9feb196df4e3/Downloads 
╰─➤ 
[close]

I'll check my Dell i7 lappy after submitting this.  8)


EDIT

All is well... on the Southwestern Front.

Spoiler (click here to view / hide)
╭─vindsl@Chi-You ~/Downloads/Intel Detection Tool 
╰─$ sudo ./intel_sa00086.py
[sudo] password for vindsl:
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.128
Scan date: 2017-11-26 18:51:00 GMT

*** Host Computer Information ***
Name: Chi-You
Manufacturer: Dell Inc.
Model: Latitude E6430
Processor Name: Intel(R) Core(TM) i7-3540M CPU @ 3.00GHz
OS Version: Peppermint 7 xenial (4.13.0-18-generic)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 8.1.71.3608
SVN: 0

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is not vulnerable.

For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

╭─vindsl@Chi-You ~/Downloads/Intel Detection Tool 
╰─$
[close]
« Last Edit: November 26, 2017, 02:47:58 pm by VinDSL, Reason: Addendum »

Offline scifidude79

  • Global Moderator
  • Hero
  • *****
  • Posts: 4029
  • Karma: 863
    • View Profile
  • Peppermint version(s): Peppermint 9
Wow, that's not good.  Thankfully, the newest Intel processor is a 4th gen i7 in my Steam Machine.  I also use WIFI on that, not a wired connection.

Offline spence

  • Trusted User
  • Veteran
  • *****
  • Posts: 1887
  • Karma: 187
  • peppermint user since 2010
    • View Profile
  • Peppermint version(s): Peppermint 9 Respin
great, so my Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz is Vulnerable... lets see what https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr has to say  :-\

at least it only operates over wifi
spence
PeppermintOS 10installed  on:
'16 Antec Aria rebuild
 '18 Asus VivoBook


Do not despair, grasshopper...
    with patience all will be revealed...
       Through pain, enlightenment will come.

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25451
  • Karma: 2798
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Code: [Select]
mark@Dell-E6530 ~/Desktop/SA00086_Linux $ sudo ./intel_sa00086.py
[sudo] password for mark:
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.128
Scan date: 2017-11-26 21:17:50 GMT

*** Host Computer Information ***
Name: Dell-E6530
Manufacturer: Dell Inc.
Model: Latitude E6530
Processor Name: Intel(R) Core(TM) i7-3740QM CPU @ 2.70GHz
OS Version: Peppermint 8 xenial (4.10.0-40-generic)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 8.1.71.3608
SVN: 0

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is not vulnerable.

For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

All good here :)

Isn't this the vulnerability Dell fixed with the recent BIOS updates ?
« Last Edit: November 26, 2017, 04:20:34 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5241
  • Karma: 940
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Isn't this the vulnerability Dell fixed with the recent BIOS updates ?

I haven't run across any Dell BIOS updates recently, for my machines. Maybe they're platform specific, i.e. I can't install the affected processors on my mobo(s), so no update(s) necessary.

I'll look around...  ;)

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25451
  • Karma: 2798
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
I thought you'd already applied the Dell BIOS update when we talked about the Intel AMT/ISM/SBT management engine vulnerability a few months ago
https://www.intel.com/content/www/us/en/architecture-and-technology/intel-amt-vulnerability-announcement.html

It was the Dell A21 BIOS (for your E6430) if I remember correctly.
http://www.dell.com/support/home/uk/en/ukbsdt1/product-support/product/latitude-e6430/drivers

Or is this a different vulnerability ?
« Last Edit: November 26, 2017, 05:31:14 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5241
  • Karma: 940
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Maybe...

I checked the BIOS in this desktop box, at it was sitting @ A21. I evidently missed the A25 BIOS update in May 2017, soooo...

I baked a Rufus USB stick and installed A25.

I'll check my lappy now, and see if I missed anything there.

I've started depending on Dell's automagic web update utility, but I'm starting to think it isn't up to snuff. I guess I'll go back to doing updates manually.  ::)

EDIT

Looks like the 'road warrior' is up to date:  https://goo.gl/jEp8We
« Last Edit: November 26, 2017, 06:18:22 pm by VinDSL, Reason: Addendum »

Offline spence

  • Trusted User
  • Veteran
  • *****
  • Posts: 1887
  • Karma: 187
  • peppermint user since 2010
    • View Profile
  • Peppermint version(s): Peppermint 9 Respin
The ASRock bios page lists nothing of need to my eyes... only something for Intel Octane... and a hyperthreading update... well... maybe that is worth a ponder  :-\
spence
PeppermintOS 10installed  on:
'16 Antec Aria rebuild
 '18 Asus VivoBook


Do not despair, grasshopper...
    with patience all will be revealed...
       Through pain, enlightenment will come.

Offline Bigoeuf

  • Member
  • ***
  • Posts: 170
  • Karma: 12
  • New Forum User
    • View Profile
  • Peppermint version(s): 8 & 7 (64bit)
Ayup all  :)

Maybe...

I checked the BIOS in this desktop box, at it was sitting @ A21. I evidently missed the A25 BIOS update in May 2017, soooo...

I baked a Rufus USB stick and installed A25.

I'll check my lappy now, and see if I missed anything there.

I've started depending on Dell's automagic web update utility, but I'm starting to think it isn't up to snuff. I guess I'll go back to doing updates manually.  ::)

EDIT

Looks like the 'road warrior' is up to date:  https://goo.gl/jEp8We

Ehhhh???
My 6430's BIOS is on A21 & I've just checked the Dell website & it is still listed as the latest version?? Even in the link you posted mucker it shows your BIOS version as A21 (unless of course you updated to the elusive A25 afterwards)??  ???

Looks like my 3rd gen processor isn't affected - according to the linked article you give in  your OP VinDSL:

https://thehackernews.com/2017/11/intel-chipset-flaws.html
 
Quote
Affected Intel Products

Below is the list of the processor chipsets which include the vulnerable firmware:

   
  • 6th, 7th and 8th Generation Intel Core processors
  • .................
« Last Edit: December 02, 2017, 07:27:23 am by Bigoeuf »

Offline VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5241
  • Karma: 940
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
The most recent BIOS for my Dell E6430 Latitude Ivy Bridge i7 3540M (3.0 GHz) laptop is sitting at A21

The most recent BIOS for my Dell OptiPlex 7010 SFF Ivy Bridge i5-3470 (3.2 GHz) desktop box is at A25

Make more sense?   ;)
« Last Edit: December 02, 2017, 12:50:02 pm by VinDSL, Reason: Clarification »

Offline Bigoeuf

  • Member
  • ***
  • Posts: 170
  • Karma: 12
  • New Forum User
    • View Profile
  • Peppermint version(s): 8 & 7 (64bit)
Morning all

The most recent BIOS for my Dell E6430 Latitude Ivy Bridge i7 3540M (3.0 GHz) laptop is sitting at A21

The most recent BIOS for my Dell OptiPlex 7010 SFF Ivy Bridge i5-3470 (3.2 GHz) desktop box is at A25

Make more sense?   ;)

Indeed yes - my apologies I didn't read your post that I quoted properly - specifically:

Quote
........
I checked the BIOS in this desktop box, at it was sitting @ A21. ...........

(my colour highlight)

Note to Santa - New glasses for Xmas please  :D
« Last Edit: December 03, 2017, 05:05:26 am by Bigoeuf »

Offline VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5241
  • Karma: 940
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
N/P Bigoeuf

I didn't want to see you wasting your time searching for a non-existent A25 BIOS for your lappy - that's all.   ;)

Offline VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5241
  • Karma: 940
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
Dell, Other Vendors Start Shipping Laptops With Intel ME Firmware Disabled | BleepingComputer  (3-DEC-2017)

SOURCE: https://goo.gl/eJXuok

Quote
Some hardware vendors are reacting to the recent revelation that some of Intel's core CPU technology is riddled with security holes.

At the time of writing, three laptop and computer vendors have started offering a way to buy products without Intel ME (Management Engine), or have said they'll deliver firmware updates that disable the technology [....]


System76

The second company that took a similar step was System76, a seller of custom Linux PC rigs. In a blog post this week, the company explains its decision and puts forward the following rollout plan.
  • System76 will automatically deliver updated firmware with a disabled ME on Intel 6th, 7th, and 8th Gen laptops. The ME provides no functionality for System76 laptop customers and is safe to disable.

  • The roll out will occur over time and customers will be notified by email prior to delivery

  • You must run Ubuntu 16.04 LTS, Ubuntu 17.04, Ubuntu 17.10, Pop!_OS 17.10, or an Ubuntu derivative and have the System76 driver installed to receive the latest firmware and disabled ME on laptops*

  • System76 will investigate producing a distro-agnostic command line firmware install tool. Follow us on your preferred social network for updates.

  • System76 will not disable the ME on desktops but will provide updated ME firmware

  • Desktop customers will receive instructions for updating the ME via email as they are available
« Last Edit: December 05, 2017, 10:04:11 pm by VinDSL, Reason: Addendum »

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25451
  • Karma: 2798
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Good .. would be nice if they relase a BIOS update that kills it for older business class machines, but it shouldn't even be in consumer grade machines in the first place.
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline VinDSL

  • Global Moderator
  • Hero
  • *****
  • Posts: 5241
  • Karma: 940
  • Peppermint Mod
    • View Profile
  • Peppermint version(s): Developmental Builds
[...] it shouldn't even be in consumer grade machines in the first place.

Yup. I just inserted an addendum above. As System76 stated...

Quote
The ME provides no functionality for System76 laptop customers and is safe to disable.