Many Intel CPUs contain Management Engine vulnerability to remote execution, here's sample outputs of the new INTEL-SA-00086 Detection Tool
You may have read about the Intel Management Engine Flaw, earlier this year, along with yesterday and today's wave of new articles about an Intel portable tool to check if your Windows or Linux system is vulnerable, with a step-by-step look below.
You can read up on the Intel Management Engine in the See also section below. Worth noting that Intel doesn't claim upcoming BIOS fixes will disable ME (aka IME), just that the potential for remote execution will be removed. The test of time will ultimately determine how good such BIOS fixes wind up being. Note that even the Intel® Xeon® Processor Scalable Family (Purley) CPUs are possibly affected here, so this has potentially pretty serious consequences, see what Google plans to do to remove ME functionality entirely, without having to rely on Intel.
Also keep in mind that until Intel released the detection tool recently:
Download
- Intel-SA-00086 Detection Tool
https://downloadcenter.intel.com/download/27150
Version: 1.0.0.128 (Latest) Date: 11/16/2017
we had no easy way to check for ourselves whether we are vulnerable. At least now we do, Windows direct-download link.
You'll note that portable Intel tool requires no installation, and for Windows, the file you download is currently called SA00086_Windows.zip
Once extracted, you simply run:
SA00086_Windows.zip/DiscoveryTool.GUI/Intel-SA-00086-GUI.exe
and in just a few seconds, you'll likely get something much like one of these 4 possible results:
1) Yes
Risk Assessment
Based on the analysis performed by this tool: This system is vulnerable.
2) Maybe
Risk Assessment
Based on the analysis performed by this tool: Detection Error: This system may be vulnerable.
3) No
Based on the analysis performed by this tool: This system is not vulnerable.
4) ?
Progress bar makes it to 100%, but no results are displayed.
This is what happens when I run it in a VMware ESXi 6.5U1 server, no results at all. Not completely a surprise, since it apparently requires low-level access to the underlying hardware and CPU to execute properly. But one would hope that it would error-out, or echo some kind of warning or suggestion.
The first 3 results include this block of text:
For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
INTEL-SA-00086 Detection Tool
Application Version: 1.0.0.128
followed by the particulars of your system.
What about the Dell Precision 5520?
I will be using visualping.io (formerly changedetection.com) to keep a close eye on Dell's no-RSS-feed-available article here:
- Dell Client Statement on Intel ME/TXE Advisory (INTEL-SA-00086)
Dell is aware of the Intel® ME/TXE Elevation of Privileges vulnerabilities. Dell is diligently working to update the affected platforms. Firmware update details for these platforms will be added to this document as they become available and we recommend customers update their systems to the latest Intel Management Engine Firmware and iCLS Software by downloading the patched releases as they become available.
which includes this line about the Precision 5520:
Precision 5520 / 12/10/2017 / 1.6.0 / 11.7.0.1054
That's less than 3 weeks away. Seems Dell is taking this pretty seriously too.
What about the popular Intel NUC?
It seems Intel plans a BIOS release sometime in December 2017, according to the link found in this article:
- Intel® Management Engine Critical Firmware Update (Intel SA-00086)
https://www.intel.com/content/www/us/en/support/articles/000025619/software.htmlDell Client: Support Information
Dell Server: Support Information
Intel® NUC, Intel® Compute Stick, and Intel® Compute Card: Support Information
Lenovo: Support Information
When will we see a fix for Supermicro Xeon D?
Do we need a BIOS fix for Supermicro Xeon D? It seems unlikely, for these two reasons.
The test above says "Detection Error", so it's not saying that it found anything, it seems to be just saying that it is unable to run the test, so it isn't sure. It appears that the current version of the INTEL-SA-00086 Detection Tool simply doesn't run properly on the Xeon D platform, so any pending fixes would instead be likely to come from Intel, in the form of a new version of the INTEL-SA-00086 Detection Tool. Let's hope, I've included @intel and [@IntelSecurity]() on my related tweet, but let's keep in mind that it is very nearly Thanksgiving holiday.
Next, let's visit the link from the output of the INTEL-SA-00086 Detection Tool:
- security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
Affected products:
- 6th, 7th & 8th Generation Intel® Core™ Processor Family
- Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
- Intel® Xeon® Processor Scalable Family
- Intel® Xeon® Processor W Family
- Intel® Atom® C3000 Processor Family
- Apollo Lake Intel® Atom Processor E3900 series
- Apollo Lake Intel® Pentium™
- Celeron™ N and J series Processors
Based on the items identified through the comprehensive security review, an attacker could gain unauthorized access to platform, Intel® ME feature, and 3rd party secrets protected by the Intel® Management Engine (ME), Intel® Server Platform Service (SPS), or Intel® Trusted Execution Engine (TXE).
This includes scenarios where a successful attacker could:
Impersonate the ME/SPS/TXE, thereby impacting local security feature attestation validity.
Load and execute arbitrary code outside the visibility of the user and operating system.
Cause a system crash or system instability.
For more information, please see this Intel Support article
Note that you don't see the Xeon D, aka Intel® Xeon® Processor D Family, among those listed as potentially vulnerable.
How to run the INTEL-SA-00086 Detection Tool
Use Intel's direct-download link for the Windows version of this portable utility, no installation is required. Then follow the steps below.
Nov 22 2017 Update 2:50pm ET
Given this issue could go back to nearly a decade of systems, and will likely require a BIOS update, the title has been adjusted, removing the word recent.
Nov 22 2017 Update 3:29pm ET
That was fast! Somebody @intel has already responded:
Hi, according to our official information, the Intel Xeon D processors are not vulnerable to remote execution: intel.ly/2B439FY I want to thank you for taking the time to bring this feedback which will be escalated to a superior level for an improvement in the tool
Detailed discussion about JTAG over USB in this new podcast episode:
- SECURITY NOW 638: QUAD NINE
Nov 21 2017 by Steve Gibson on Security Now 638:Intel responds quickly to the horrific "JTAG over USB" research:
Intel's disclosure reveals that 9 years of their chips are affected.
Intel Management Engine Critical Firmware Update (Intel SA-00086)
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
Corporate Speak:
Intel: "In response to issues identified by external researchers, Intel has performed an
in-depth comprehensive security review of our Intel® Management Engine (ME), Intel®
Server Platform Services (SPS), and Intel® Trusted Execution Engine (TXE) with the
objective of enhancing firmware resilience. As a result, Intel has identified security
vulnerabilities that could potentially place impacted platforms at risk."
Here's the exact spot where Steve talks about the JTAG over USB discovery, and detailed shownotes.
Dec 03 2017 Update
It would seem that there have been many updates to Dell's page, with more details about ETAs on the fixes for both the Dell Precision 5510 and 5520 laptops:
- Precision 5510 1/21/2018 (MEFW Update) 1/21/2018
- Precision 5520 12/10/2017 (BIOS Update) 12/10/2017
Dec 08 2017 Update
Nice podcast coverage of this Intel Management Engine kerfuffle by PC Perspective's Allyn Malventano.
Also, received reasuring word from Intel, regarding the Xeon D-1500 (Broadwell-DE) platform. It would seem that the INTEL-SA-00086 Detection Tool's failure to run properly on Xeon D isn't likely to be something worth fixing, since we've now confirmed that Xeon D isn't affected anyway:
INTEL-SA-00086 Detection Tool does not apply to Xeon-D processors and therefore the detection tool was probably not verified on Xeon-D systems. I was also told that running the INTEL-SA-00086 Detection Tool is not required on Xeon-D platforms.
See also at TinkerTry
See also
Intel lists the CVEs in their articles, but they don't include links, so I've created these links to mitre.org for you:
- CVE-2017-5705
- CVE-2017-5708
- CVE-2017-5711
-
Intel Admits Security Flaws Contained in Most PC Chips It Sold for Years
Nov 21 2017 by Aaron Pressman at FortuneSome big tech companies that use Intel (INTC, -0.53%) chips, like Google (GOOGL, +0.07%), have talked about how they plan to disable the management engine as a way of eliminating its security vulnerabilities.
- Disabling Intel ME 11 via undocumented mode
Aug 28 2017 by Mark Ermolov and Maxim Goryachy at Positive Technolgies - learn and secure
The disappointing fact is that on modern computers, it is impossible to completely disable ME. This is primarily due to the fact that this technology is responsible for initialization, power management, and launch of the main processor. Another complication lies in the fact that some data is hard-coded inside the PCH chip functioning as the southbridge on modern motherboards.