Intel release ME flaw detection tool

[Rubin Chen]

hmm i thought all new stuff had the issue..? i never updated anything.

[porina]

20 minutes ago, Rubin Chen said:

hmm i thought all new stuff had the issue..? i never updated anything.

I'm not sure on exactly when the fix was first made available, but it is very possible that as a new Coffee Lake system, it already has the fix. From your mobo page:

 

Quote

Version

7B58v11

Release Date

2017-11-01

File Size

7.47 MB

Description

- Fix throttling issue when use 8700 cpu to run Prime95 burning test. 
- Improve memory compatibility.
- Enhance Game boost function.
- Fix monitor is not able to turn on after resume from S3 mode via lan wake up event.
- Update Intel ME for security vulnerabilities

Note the last line!

[Teddy07]

My sister has a z170 from MSI and these slackers seem to not provide a fix for it. Their z200 and z300 series already received the update quite a few days ago.

 

I was a happy customer but seeing that other manufacturers provide a fix for their z100 series and MSI doesn't makes me change my mind for future purchases.

[BagelMonster]

Apparently my 8700k is not vulnerable and was already patched, good to know

[Rubin Chen]

On 12/1/2017 at 4:49 AM, porina said:

I'm not sure on exactly when the fix was first made available, but it is very possible that as a new Coffee Lake system, it already has the fix. From your mobo page:

 

Note the last line!

Thanks, i think i have grown too accustom to "live update" software msi has that I no longer read the notes. my bad...

[Sfekke]

I'll have to check my Z97 systems, or are these not affected?

(Devils Canyon 4790K)

[Rubin Chen]

2 minutes ago, Sfekke said:

I'll have to check my Z97 systems, or are these not affected?

(Devils Canyon 4790K)

According to intel:

Affected products: 

• 6th, 7th & 8th Generation Intel® Core™ Processor Family
• Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
• Intel® Xeon® Processor Scalable Family
• Intel® Xeon® Processor W Family
• Intel® Atom® C3000 Processor Family
• Apollo Lake Intel® Atom Processor E3900 series
• Apollo Lake Intel® Pentium™
• Celeron™ N and J series Processors

So i think you are fine. 

[Sfekke]

1 minute ago, Rubin Chen said:

According to intel:

Affected products: 

• 6th, 7th & 8th Generation Intel® Core™ Processor Family
• Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
• Intel® Xeon® Processor Scalable Family
• Intel® Xeon® Processor W Family
• Intel® Atom® C3000 Processor Family
• Apollo Lake Intel® Atom Processor E3900 series
• Apollo Lake Intel® Pentium™
• Celeron™ N and J series Processors

So i think you are fine. 

I'd hope so, since ASUS hasn't provided an update yet.

I'll run the tool on both my systems once I get home, if it is found then I'd be in trouble since ASUS hasn't provided an update yet.

[NumLock21]

My Intel Core i5 8250U is vulnerable.  Went to check if there was any updates for my system and there was. The update says ME firmware update, not a ME driver update. Size of the file is 231MB after extraction and the update looked like this

 

 

After the update has completed and system restarted, it says "This system is not vulnerable. It has already been patched". To verify whether this patch, actually updates the Intel ME firmware (hardware) and not just the ME driver (software), I did a clean install of win10 onto the 2nd partition of my SSD. Then I install the Intel ME drivers, without this the detection tool won't work, and it still says the system is not vulnerable and it has been patched. This confirms the patch actually updates on the Intel ME firmware (hardware) not the ME driver (software). If it was just a Intel ME driver update, then I will have to patch it everything single time I reinstall the OS.

[NumLock21]

5 minutes ago, Name Taken said:

Computer vendors are disabling the Management Engine by exploiting a vulnerable and Intel's patch is to prevent it from being disabled.

[NumLock21]

Just now, Name Taken said:

They are doing this for themselves by sealing the black box back up so no one else can disable it.

Intel has no patch, it just tells you whether your vulnerable or not. The patch is provided by your motherboard manufacture.

[NumLock21]

Just now, Name Taken said:

Motherboard manufacture gets the patch from Intel.

[NumLock21]

1 minute ago, Name Taken said:

https://www.coreboot.org/Intel_Management_Engine

Man that link is so ancient it belongs in a museum. All of the cpus architectures on that list are not vulnerable.  The ME vulnerability allows hackers to access your system even through the network, where the unpatch ME firmware, is basically a backdoor that's wide open. After patching the ME firmware, it closes that backdoor preventing hacker from entering your system.

[NumLock21]

Just now, Name Taken said:

The relevant information I quoted is that the ME is proprietary and signed so motherboard manufacture get any patch from Intel. Their patch prevents people from disabling it.

There was never a option to disable Intel ME engine in the bios that I know of.

[Bit_Guardian]

25 minutes ago, NumLock21 said:

Intel has no patch, it just tells you whether your vulnerable or not. The patch is provided by your motherboard manufacture.

Yes it does. Intel released the patch quite a while ago. It's up to motherboard OEMs to provide it though. https://www.extremetech.com/computing/259426-intel-patches-major-flaws-intel-management-engine

[NumLock21]

1 minute ago, Name Taken said:

 

Y U link to the first page of this topic?

[porina]

1 hour ago, NumLock21 said:

This confirms the patch actually updates on the Intel ME firmware (hardware) not the ME driver (software). If it was just a Intel ME driver update, then I will have to patch it everything single time I reinstall the OS.

Yup, it's a bios (ME part) update, which seems like it could either be done as a complete bios package, or just an update to the ME component. My sole Asrock mobo seems to provide it as part of a general bios update. Two of my Asus Z170 boards have had an ME bios update. Still no news on my Asus X299 mobo though, you would have throught they might give that more attention than some ancient Z170 boards, unless they're doing it by sales numbers MSI haven't show any sign of activity whatsoever. I should also check if my HPE system still has updates behind a paywall or not (their policy suggests security updates are not, but it doesn't seem to be working here).

[NumLock21]

• Did a build, with Intel 7700 and a Asus B250 motherboard
• Intel ME status: vulnerable
• Ran Asus Me update tool
• 
• Intel ME status: not vulnerable, system has been patched
• Installed Win10 again on drive D, to see if ME is actually patched or not
• Intel ME status: not vulnerable, system has been patched

 

 

[Czeekaj]

On 12/5/2017 at 4:52 PM, NumLock21 said:

There was never a option to disable Intel ME engine in the bios that I know of.

I found a way to do it, It was not in my bios tho..
My bios kinda sucks on my dell laptop but When I go to boot from a USB or HardDrive.
The Minix was at the bottom of the options,
It had default password of admin.
Than I set a new password which requires
1)one punctuation mark
2) One uppercase
3)one Lowercase
4) one number.
"intel® ME password must be changed from the default password prior to gaining access to certain ME options. Intel® ME passwords must be between 8 and 32 characters long, haveat least one upper case character, one lower case character, one number, and a special character (for example: !, @, #, $, %, ^, &, *). "
Some one on intel forums mentioned this, and I figured ouwhy it wouldn't change at first.
Than I can tell it to disable all it's options, but dunno when I boot my OS it seems to be off but It's supposed to be booting before bios anyway. So I don't know man, it's still there.
I changed all settings but this seems to be the one that disables as much as possible,
Intel® ME
Configuration
This is straight from intel..
"The Intel Management Engine State Control (enable/disable) ooption provides a detach capability during field malfunction debug. You can use this option to disable the Intel Management Engine in order to isolate the Intel Management Engine subsystem from the main platform until the debugging process is complete. Intel Management Engine is not actually disabled via theDisable option. It is paused at a very early stage of the Intel Management Engine boot process so that the system has no traffic originating from the Intel Management Engine on any bus. This ensures that you can debug a system problemwithout interference from the Intel management Engine."
My Desktop on a Asus z77, has no way I can see to turn it off or access it. My laptop is a bit older. I can really only access the Uefi Bios and I see no mention of Minix in my legacy boot.

Turning it off in it's OS dunno if it's off but it won't update on Startup. My linux boot will give me hundreds of Error messages.
I think I should go through my Init Scripts and see if I can disable it there.. I new to this not sure,
It's telling me it's hung and keeps displaying the same message over and over now, kinda annoying as it's making boot longer than it should be :P

Apperently Ctrl + P at boot can help you get into the ME. I trying to figure out why it's hanging, but it's probably because I told it to disable. but it makes booting take a while :/ I see nothing in my startup scripts mentioning ME but I see my Light Dimmer Which I turned off in Bios. Which the Script is renamed with a prefix K01 which means it's disabled but nothing for ME. I new to linux but that at least makes sense to me. It's cool cuz it tells me which I turn my radio switch on and off at boot while I watching all those ME hang warnings I can have a few lines saying I turned off my Wifi switch lol

Source https://www.intel.com/content/dam/support/us/en/documents/motherboards/desktop/sb/intelmebxsettings_v02.pdf
Sorry I'm kinda an idiot at this point, I didn't do it right. I tried to disable but appears to be a soft disable.

[TopHatProductions115]

I got this result: