INTEL announces vulnerabilities in Firmware
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
INTEL announces vulnerabilities in Firmware
PC vendors scramble as Intel announces vulnerability in firmware [Updated]
Millions of computers could be remotely hijacked through bug in firmware code.
This is not good.
This article has a link to a vulnerability detection tool for Linux (and Windows).
Linux Download
Millions of computers could be remotely hijacked through bug in firmware code.
This is not good.
This article has a link to a vulnerability detection tool for Linux (and Windows).
Linux Download
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
“I think that this situation absolutely requires a really futile and stupid gesture be done on somebody's part"
"We're just the guys to do it”
Animal House
"We're just the guys to do it”
Animal House
Re: INTEL announces vulnerabilities in Firmware
I downloaded the tool but don't know how to start it. Can anyone help? I read on Intel's site that it is "a command line executable," but it doesn't give any instructions.
Re: INTEL announces vulnerabilities in Firmware
Navigate to wherever you saved the file with your file manager. Right click on it, then click "Extract here." Open a terminal and use cd to navigate to the SA00086_Linux folder that you just unzipped. Type
./intel_sa00086.py
and press Enter. That should do it. I did not have to make any of those files executable, they already were when I unzipped them. If you have any problems, inside that SA00086_Linux is another folder called 'documents.' The .pdf file has instructions if you need them.“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan
Re: INTEL announces vulnerabilities in Firmware
Thanks for the help jimallyn. My system is not vulnerable.
Re: INTEL announces vulnerabilities in Firmware
Unfortunately, mine is. I unplugged the network cable when I left the house today.Schultz wrote:My system is not vulnerable.
“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan
Re: INTEL announces vulnerabilities in Firmware
Yes , one of mine also , but while it is undoubtedly " a bad thing " , it is not disastrous and I don't believe that drastic measures are needed .jimallyn wrote: Unfortunately, mine is. I unplugged the network cable when I left the house today.
Keep in mind that to exploit the vulnerability locally , physical access to the machine is needed .
Remote exploitation requires root privileges , and we are smart enough to NOT run as root ( and Mint actively discourages us from doing this ) .
As I mentioned in another thread , reliable information on this is scarce and Intel seem to be rather coy about giving us the full picture .
For example , it would be very useful to know which ports are being used so that they could be blocked by a firewall .
In my notes I have these listed ( but no link to the source .... doh ! )
16992, 16993, 16994, 16995, 623, 664
I'd be interested to hear from other members who are looking into this .
Re: INTEL announces vulnerabilities in Firmware
Good points, Faust. I went back and read the article again, and I'm feeling a bit better now! I wish Intel would abandon the notion that putting malware in their CPUs is a good idea.
“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan
Re: INTEL announces vulnerabilities in Firmware
Update :
The Electronic Frontier Foundation has directly challenged Intel on this matter , and they replied , but only to nit-pick about details in the article
( which eff promptly corrected ) .... it changes nothing .
They have completely ignored the demands from eff to " do the right thing "
" So we call upon Intel to:
Provide clear documentation for the software modules that are preinstalled on various Management Engines.
What HECI commands provide a full list of the installed modules/services? What are the interfaces to those services?
Provide a way for their customers to audit ME code for vulnerabilities. That is presently impossible because the code is kept secret.
Offer a supported way to disable the ME.
If that’s literally impossible, users should be able to flash an absolutely minimal, community-auditable ME firmware image.
On systems where the ME is an essential requirement for other security features that are important to some users (like Boot Guard),
offer an additional option of a near-minimal, community-auditable ME firmware image that performs these security functions, and nothing else.
Or alternatively, a supported way to build and flash firmware images where the user can inspect and control which services/modules are present,
in order to manage security risks from those modules. "
https://www.eff.org/deeplinks/2017/05/i ... disable-it
There is certainly no help available on Intel's own site :
https://software.intel.com/en-us/articl ... -intel-amt
The Electronic Frontier Foundation has directly challenged Intel on this matter , and they replied , but only to nit-pick about details in the article
( which eff promptly corrected ) .... it changes nothing .
They have completely ignored the demands from eff to " do the right thing "
" So we call upon Intel to:
Provide clear documentation for the software modules that are preinstalled on various Management Engines.
What HECI commands provide a full list of the installed modules/services? What are the interfaces to those services?
Provide a way for their customers to audit ME code for vulnerabilities. That is presently impossible because the code is kept secret.
Offer a supported way to disable the ME.
If that’s literally impossible, users should be able to flash an absolutely minimal, community-auditable ME firmware image.
On systems where the ME is an essential requirement for other security features that are important to some users (like Boot Guard),
offer an additional option of a near-minimal, community-auditable ME firmware image that performs these security functions, and nothing else.
Or alternatively, a supported way to build and flash firmware images where the user can inspect and control which services/modules are present,
in order to manage security risks from those modules. "
https://www.eff.org/deeplinks/2017/05/i ... disable-it
There is certainly no help available on Intel's own site :
https://software.intel.com/en-us/articl ... -intel-amt
- Pjotr
- Level 24
- Posts: 20124
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: INTEL announces vulnerabilities in Firmware
Note that you have to run the command with sudo:jimallyn wrote:Navigate to wherever you saved the file with your file manager. Right click on it, then click "Extract here." Open a terminal and use cd to navigate to the SA00086_Linux folder that you just unzipped. Type./intel_sa00086.py
and press Enter. That should do it. I did not have to make any of those files executable, they already were when I unzipped them. If you have any problems, inside that SA00086_Linux is another folder called 'documents.' The .pdf file has instructions if you need them.
sudo ./intel_sa00086.py
1. Without sudo:
2. With sudo:pjotr@MD99587 ~/Downloads/intel $./intel_sa00086.py
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved
Application Version: 1.0.0.128
Scan date: 2017-11-23 10:05:03 GMT
*** Host Computer Information ***
Name: MD99587
Manufacturer: MEDION
Model: E4213 MD99587
Processor Name: Intel(R) Celeron(R) CPU N2840 @ 2.16GHz
OS Version: LinuxMint 18.3 sylvia (4.11.0-14-generic)
This tool needs elevated privileges to run.
*** Risk Assessment ***
Detection Error: This system may be vulnerable.
For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:
https://security-center.intel.com/advis ... geid=en-fr
pjotr@MD99587 ~/Downloads/intel $sudo ./intel_sa00086.py
[sudo] wachtwoord voor pjotr:
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved
Application Version: 1.0.0.128
Scan date: 2017-11-23 10:05:37 GMT
*** Host Computer Information ***
Name: MD99587
Manufacturer: MEDION
Model: E4213 MD99587
Processor Name: Intel(R) Celeron(R) CPU N2840 @ 2.16GHz
OS Version: LinuxMint 18.3 sylvia (4.11.0-14-generic)
*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 1.1.2.1120
SVN: 0
*** Risk Assessment ***
Based on the analysis performed by this tool: This system is not vulnerable.
For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:
https://security-center.intel.com/advis ... geid=en-fr
Last edited by Pjotr on Thu Nov 23, 2017 6:22 am, edited 3 times in total.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: INTEL announces vulnerabilities in Firmware
@ jimallyn, .......
According to this link https://www.howtogeek.com/56538/how-to- ... t-crashes/ on how to configure computers for Remote Management with the Intel MEBx/AMT/vPro feature, I do not think you need to take such preventive measures against the Intel ME vulnerability except to make sure that the feature is disabled in BIOS-1 level. Many steps are required before this deep remote access feature can be used. So, even unpatched Intel computers may not be vulnerable.
... Likely, it is mostly only computers which have already been such configured by businesses' System Admins for Remote Management, that are vulnerable and need to be patched.
.jimallyn wrote:Unfortunately, mine is. I unplugged the network cable when I left the house today.Schultz wrote:My system is not vulnerable.
According to this link https://www.howtogeek.com/56538/how-to- ... t-crashes/ on how to configure computers for Remote Management with the Intel MEBx/AMT/vPro feature, I do not think you need to take such preventive measures against the Intel ME vulnerability except to make sure that the feature is disabled in BIOS-1 level. Many steps are required before this deep remote access feature can be used. So, even unpatched Intel computers may not be vulnerable.
... Likely, it is mostly only computers which have already been such configured by businesses' System Admins for Remote Management, that are vulnerable and need to be patched.
Re: INTEL announces vulnerabilities in Firmware
I get that with or without "sudo" - they're exactly the same.Pjotr wrote:[*** Risk Assessment ***
Detection Error: This system may be vulnerable.
But great web page (download) they have there! Thousands of lawyer words, but not one word of instructions on how to run the thing.
That link has no information on how to "install the Intel(R) MEI/TXEI driver" - it doesn't even mention MEI.please install the Intel(R) MEI/TXEI driver (available from your system manufacturer).
For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:https://security-center.intel.com/advisory.aspx?inte ...
Please edit your original post title to include [SOLVED] if/when it is solved!
Your data and OS are backed up....right?
Your data and OS are backed up....right?
Re: INTEL announces vulnerabilities in Firmware
Here's how I did it: I opened the folder that contained "intel_sa00086.py" as administrator, and double-clicked it, and in the selection window that asked what to do, I selected run. I'm assuming that since I opened the containing folder as administrator, that the file was also run as administrator. Is that correct? Or did I need to also run the file itself as administrator?Pjotr wrote:
Note that you have to run the command with sudo
Re: INTEL announces vulnerabilities in Firmware
I get precisely the same output whether I use sudo or not. I do not get any message that it needs elevated privileges. Interesting.Pjotr wrote:Note that you have to run the command with sudo:sudo ./intel_sa00086.py
“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan
Re: INTEL announces vulnerabilities in Firmware
Asus doesn't have ME firmware update for this mobo, what next?
Code: Select all
sudo ./intel_sa00086.py
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved
Application Version: 1.0.0.128
Scan date: 2017-11-24 22:45:53 GMT
*** Host Computer Information ***
Name: Asus-h170
Manufacturer: System manufacturer
Model: System Product Name
Processor Name: Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz
OS Version: LinuxMint 17.3 rosa (4.11.12-041112-generic)
*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 11.0.10.1002
SVN: 1
*** Risk Assessment ***
Based on the analysis performed by this tool: This system is vulnerable.
Explanation:
The detected version of the Intel(R) Management Engine firmware is considered vulnerable for INTEL-SA-00086.
Contact your system manufacturer for support and remediation of this system.
For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
Re: INTEL announces vulnerabilities in Firmware
First of all " Do Not Panic " ( The Hitch-hikers Guide to the Galaxy is very specific on that point )Minterator wrote:Asus doesn't have ME firmware update for this mobo, what next? ....
The manufacturer of one of my affected machines is not on that Intel list either , so it may be a long wait for some folks .
Even without the " band-aid" fix being offered , the potential attack-surface is still tiny for the vast majority of users ,
who may have " compromised " hardware .
Keep in mind that ALL systems are vulnerable to attack via USB ports ( STUXNET is all the proof that is needed )
A system that is booted and unattended can be compromised in seconds , even if the user is not logged in !
And a machine that is not powered-up is still vulnerable .... eg. attack by the aptly-named " Evil Maid " ,
.... most safes in hotel rooms are too small to hold a laptop .
I have seen machines with all of the USB ports sealed with hot glue , in fact some companies do this as a matter of policy .
[People who attend major hacker conventions such as DefCon have been known to take even more drastic measures ! ]
So that is one of the main attack vectors for any potential malicious exploitation of Intel ME .
The other being remote , which requires unauthorized elevation , and that should not bother us Mint users
In short , this latest security mess ( of Intel's own making ) is much less of a threat than it first appears .
Re: INTEL announces vulnerabilities in Firmware
It's in the chipset, not the CPU. It's a separate MINIX mini-OS that works independently of Windows/Linux regardless of root/administrator privilege. It's a Big Brother backdoor that could give the NSA complete access to the entire system's memory space. My H170 machines are vulnerable and there's no fimrware update from Asus (yet?), my H270 has a patch from Asus but it's a Windows executable https://www.asus.com/us/Motherboards/RO ... Desk_BIOS/jimallyn wrote:Good points, Faust. I went back and read the article again, and I'm feeling a bit better now! I wish Intel would abandon the notion that putting malware in their CPUs is a good idea.
https://www.techpowerup.com/238677/mini ... inix-drama
https://gadgets.ndtv.com/laptops/news/i ... ty-1773805
There are cleaners that overwrite parts of the firmware, thereby disabling it. But it may also brick the machine.
https://github.com/corna/me_cleaner/wik ... it-work%3F
https://github.com/bartblaze/Disable-Intel-AMT
Re: INTEL announces vulnerabilities in Firmware
Same here.jimallyn wrote:I get precisely the same output whether I use sudo or not. I do not get any message that it needs elevated privileges. Interesting.Pjotr wrote:Note that you have to run the command with sudo:sudo ./intel_sa00086.py
Code: Select all
*** Risk Assessment ***
Detection Error: This system may be vulnerable, please install the Intel(R) MEI/TXEI driver (available from your system manufacturer).
For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
There is a box where you can tell them if you found the information useful or not, so I gave them this ...
Hope I wasn't too harsh but these people need to be told.What information? All I see is banners, an EULA (why is this spaced out to cover an acre of screen real-estate and in a tiny font? Hard to read and a PITA to navigate), but no actual information on this issue when I finally got to the bottom of it ...
Dell Inspiron 1525 - LM17.3 CE 64-------------------Lenovo T440 - Manjaro KDE with Mint VMs
Toshiba NB250 - Manjaro KDE------------------------Acer Aspire One D255E - LM21.3 Xfce
Acer Aspire E11 ES1-111M - LM18.2 KDE 64 ----… Two ROMS don't make a WRITE …
Toshiba NB250 - Manjaro KDE------------------------Acer Aspire One D255E - LM21.3 Xfce
Acer Aspire E11 ES1-111M - LM18.2 KDE 64 ----… Two ROMS don't make a WRITE …
- CaptainKirksChair
- Level 4
- Posts: 456
- Joined: Sat Feb 18, 2017 9:29 pm
Re: INTEL announces vulnerabilities in Firmware
My system MAY be vulnerable, according to the tool from Intel. However, Dell says I am not vulnerable because the E6400s are not on their list.
Re: INTEL announces vulnerabilities in Firmware
You weren't.BG405 wrote:Hope I wasn't too harsh but these people need to be told.
“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan
Re: INTEL announces vulnerabilities in Firmware
Thanks for that, prior to submitting it did have several revisions though! The drafts weren't quite as subtlejimallyn wrote: You weren't.
Dell Inspiron 1525 - LM17.3 CE 64-------------------Lenovo T440 - Manjaro KDE with Mint VMs
Toshiba NB250 - Manjaro KDE------------------------Acer Aspire One D255E - LM21.3 Xfce
Acer Aspire E11 ES1-111M - LM18.2 KDE 64 ----… Two ROMS don't make a WRITE …
Toshiba NB250 - Manjaro KDE------------------------Acer Aspire One D255E - LM21.3 Xfce
Acer Aspire E11 ES1-111M - LM18.2 KDE 64 ----… Two ROMS don't make a WRITE …