Many Intel CPUs contain Management Engine vulnerability to remote execution, here's sample outputs of the new INTEL-SA-00086 Detection Tool

Posted by Paul Braren on Nov 22 2017 (updated on Dec 8 2017) in
  • CPU
  • Security
  • You may have read about the Intel Management Engine Flaw, earlier this year, along with yesterday and today's wave of new articles about an Intel portable tool to check if your Windows or Linux system is vulnerable, with a step-by-step look below.

    You can read up on the Intel Management Engine in the See also section below. Worth noting that Intel doesn't claim upcoming BIOS fixes will disable ME (aka IME), just that the potential for remote execution will be removed. The test of time will ultimately determine how good such BIOS fixes wind up being. Note that even the Intel® Xeon® Processor Scalable Family (Purley) CPUs are possibly affected here, so this has potentially pretty serious consequences, see what Google plans to do to remove ME functionality entirely, without having to rely on Intel.

    Also keep in mind that until Intel released the detection tool recently:

    Download

    we had no easy way to check for ourselves whether we are vulnerable. At least now we do, Windows direct-download link.

    You'll note that portable Intel tool requires no installation, and for Windows, the file you download is currently called SA00086_Windows.zip

    SA00086-step1--TinkerTry

    Once extracted, you simply run:
    SA00086_Windows.zip/DiscoveryTool.GUI/Intel-SA-00086-GUI.exe
    and in just a few seconds, you'll likely get something much like one of these 4 possible results:

    1) Yes

    This-system-is-vulnerable-Intel-Core-i7-7820HQ-Dell-Precision-5520--TinkerTry
    Model Precision 5520, Processor Name Intel Core i7-7820HQ

    Risk Assessment
    Based on the analysis performed by this tool: This system is vulnerable.

    2) Maybe

    This-system-may-be-vulnerable-Intel-Xeon-D-1541--TinkerTry
    Model Super Server, Processor Name Intel Xeon CPU D-1541

    Risk Assessment
    Based on the analysis performed by this tool: Detection Error: This system may be vulnerable.

    3) No

    This-system-is-not-vulnerable-Lenovo-Yoga-13--TinkerTry
    Model 20175, Processor Name Intel Core i7-3537U

    Based on the analysis performed by this tool: This system is not vulnerable.

    4) ?

    Progress bar makes it to 100%, but no results are displayed.

    This-system-hangs-Detection-Tool-on-Intel-Xeon-D-1541-VM--TinkerTry
    The INTEL-SA-00086 Detection Tool doesn't seem to know how to run in a VM at all, simply hanging.

    This is what happens when I run it in a VMware ESXi 6.5U1 server, no results at all. Not completely a surprise, since it apparently requires low-level access to the underlying hardware and CPU to execute properly. But one would hope that it would error-out, or echo some kind of warning or suggestion.

    The first 3 results include this block of text:

    For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
    INTEL-SA-00086 Detection Tool
    Application Version: 1.0.0.128

    followed by the particulars of your system.

    What about the Dell Precision 5520?

    930076077732564992

    I will be using visualping.io (formerly changedetection.com) to keep a close eye on Dell's no-RSS-feed-available article here:

    • Dell Client Statement on Intel ME/TXE Advisory (INTEL-SA-00086)

      Dell is aware of the Intel® ME/TXE Elevation of Privileges vulnerabilities. Dell is diligently working to update the affected platforms. Firmware update details for these platforms will be added to this document as they become available and we recommend customers update their systems to the latest Intel Management Engine Firmware and iCLS Software by downloading the patched releases as they become available.

    which includes this line about the Precision 5520:
    Precision 5520 / 12/10/2017 / 1.6.0 / 11.7.0.1054
    That's less than 3 weeks away. Seems Dell is taking this pretty seriously too.

    Intel-NUC-Expected-availability--TinkerTry

    It seems Intel plans a BIOS release sometime in December 2017, according to the link found in this article:

    When will we see a fix for Supermicro Xeon D?

    Do we need a BIOS fix for Supermicro Xeon D? It seems unlikely, for these two reasons.

    The test above says "Detection Error", so it's not saying that it found anything, it seems to be just saying that it is unable to run the test, so it isn't sure. It appears that the current version of the INTEL-SA-00086 Detection Tool simply doesn't run properly on the Xeon D platform, so any pending fixes would instead be likely to come from Intel, in the form of a new version of the INTEL-SA-00086 Detection Tool. Let's hope, I've included @intel and [@IntelSecurity]() on my related tweet, but let's keep in mind that it is very nearly Thanksgiving holiday.

    Next, let's visit the link from the output of the INTEL-SA-00086 Detection Tool:

    • security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
      INTEL-SA-00086

      Affected products:

      • 6th, 7th & 8th Generation Intel® Core™ Processor Family
      • Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
      • Intel® Xeon® Processor Scalable Family
      • Intel® Xeon® Processor W Family
      • Intel® Atom® C3000 Processor Family
      • Apollo Lake Intel® Atom Processor E3900 series
      • Apollo Lake Intel® Pentium™
      • Celeron™ N and J series Processors

      Based on the items identified through the comprehensive security review, an attacker could gain unauthorized access to platform, Intel® ME feature, and 3rd party secrets protected by the Intel® Management Engine (ME), Intel® Server Platform Service (SPS), or Intel® Trusted Execution Engine (TXE).

      This includes scenarios where a successful attacker could:

      Impersonate the ME/SPS/TXE, thereby impacting local security feature attestation validity.
      Load and execute arbitrary code outside the visibility of the user and operating system.
      Cause a system crash or system instability.
      For more information, please see this Intel Support article

    Note that you don't see the Xeon D, aka Intel® Xeon® Processor D Family, among those listed as potentially vulnerable.

    How to run the INTEL-SA-00086 Detection Tool

    Use Intel's direct-download link for the Windows version of this portable utility, no installation is required. Then follow the steps below.

    SA00086-step000--TinkerTry
    SA00086-step00--TinkerTry
    SA00086-step0--TinkerTry
    SA00086-step2--TinkerTry
    SA00086-step3--TinkerTry
    SA00086-step4--TinkerTry
    SA00086-step5--TinkerTry
    SA00086-step6--TinkerTry
    SA00086-step7--TinkerTry
    SA00086-step9--TinkerTry
    This-system-is-not-vulnerable-Lenovo-Yoga-13--TinkerTry
    Model 20175, Processor Name Intel Core i7-3537U

    Nov 22 2017 Update 2:50pm ET

    Given this issue could go back to nearly a decade of systems, and will likely require a BIOS update, the title has been adjusted, removing the word recent.


    Nov 22 2017 Update 3:29pm ET

    That was fast! Somebody @intel has already responded:

    933425334183227394

    Hi, according to our official information, the Intel Xeon D processors are not vulnerable to remote execution: intel.ly/2B439FY I want to thank you for taking the time to bring this feedback which will be escalated to a superior level for an improvement in the tool

    Detailed discussion about JTAG over USB in this new podcast episode:

    • SECURITY NOW 638: QUAD NINE
      Nov 21 2017 by Steve Gibson on Security Now 638:
      Security-Now-638
      Click the image to jump to the audio.

      Intel​ ​responds​ ​quickly​ ​to​ ​the​ ​horrific​ ​"JTAG​ ​over​ ​USB"​ ​research:
      Intel's disclosure reveals that 9 years of their chips are affected.
      Intel Management Engine Critical Firmware Update (Intel SA-00086)
      https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
      Corporate Speak:
      Intel: "In response to issues identified by external researchers, Intel has performed an
      in-depth comprehensive security review of our Intel® Management Engine (ME), Intel®
      Server Platform Services (SPS), and Intel® Trusted Execution Engine (TXE) with the
      objective of enhancing firmware resilience. As a result, Intel has identified security
      vulnerabilities that could potentially place impacted platforms at risk."

    Here's the exact spot where Steve talks about the JTAG over USB discovery, and detailed shownotes.


    Dec 03 2017 Update

    It would seem that there have been many updates to Dell's page, with more details about ETAs on the fixes for both the Dell Precision 5510 and 5520 laptops:

    • Precision 5510 1/21/2018 (MEFW Update) 1/21/2018
    • Precision 5520 12/10/2017 (BIOS Update) 12/10/2017

    Dec 08 2017 Update

    Nice podcast coverage of this Intel Management Engine kerfuffle by PC Perspective's Allyn Malventano.

    Also, received reasuring word from Intel, regarding the Xeon D-1500 (Broadwell-DE) platform. It would seem that the INTEL-SA-00086 Detection Tool's failure to run properly on Xeon D isn't likely to be something worth fixing, since we've now confirmed that Xeon D isnt' affected anyway:

    INTEL-SA-00086 Detection Tool does not apply to Xeon-D processors and therefore the detection tool was probably not verified on Xeon-D systems. I was also told that running the INTEL-SA-00086 Detection Tool is not required on Xeon-D platforms.


    See also at TinkerTry

    quad9-may-be-a-google-public-dns-alternative-to-try-for-more-privacy

    See also

    Intel lists the CVEs in their articles, but they don't include links, so I've created these links to mitre.org for you:

    • CVE-2017-5705
    • CVE-2017-5708
    • CVE-2017-5711
    • CVE-2017-5712

    • Intel Admits Security Flaws Contained in Most PC Chips It Sold for Years
      Nov 21 2017 by Aaron Pressman at Fortune

      Some big tech companies that use Intel (INTC, -0.53%) chips, like Google (GOOGL, +0.07%), have talked about how they plan to disable the management engine as a way of eliminating its security vulnerabilities.

    • Disabling Intel ME 11 via undocumented mode
      disabling-intel-me

      Aug 28 2017 by Mark Ermolov and Maxim Goryachy at Positive Technolgies - learn and secure

      The disappointing fact is that on modern computers, it is impossible to completely disable ME. This is primarily due to the fact that this technology is responsible for initialization, power management, and launch of the main processor. Another complication lies in the fact that some data is hard-coded inside the PCH chip functioning as the southbridge on modern motherboards.