ASRock.com Homepage
Forum Home Forum Home > Technical Support > Intel Motherboards
  New Posts New Posts RSS Feed - Intel Management Engine vulnerability SA-00086
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Intel Management Engine vulnerability SA-00086

 Post Reply Post Reply Page  <1 34567 8>
Author
Message
partofthething View Drop Down
Newbie
Newbie


Joined: 25 Nov 2017
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote partofthething Quote  Post ReplyReply Direct Link To This Post Posted: 25 Nov 2017 at 8:35am
I'm happy ASRock posted the links to the fixes on their page. However, I'm a bit distraught that the files are hosted over HTTP instead of HTTPS. Downloads like this really should use TLS to prevent people between the server and the customers from injecting malicious firmware into people's machines.

Meanwhile, those of you who downloaded the files, what SHA1/SHA256 hash did they have? With sha1sum and sha256sum commands, I get:

c5cd9811598492541ff5da850027e698f01afa67  ME-consumer_11.8.50.3425.zip
366ddc9ee99e1641bee6a19554cac3c5ad4f15df8c7bdee63558f22aebe0e19c  ME-consumer_11.8.50.3425.zip


Can anyone confirm? Thanks.
Back to Top
parsec View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 May 2015
Location: USA
Status: Offline
Points: 4996
Post Options Post Options   Thanks (0) Thanks(0)   Quote parsec Quote  Post ReplyReply Direct Link To This Post Posted: 25 Nov 2017 at 12:38pm
Originally posted by Montoya Montoya wrote:

Originally posted by parsec parsec wrote:


Why are you asking a mother board manufacture about a problem with a product they do not manufacture or sell?

Why is a mother board manufacture responsible for any potential or existing flaw in a product they have not designed, manufactured, or marketed?

Replace the words "mother board" with "Car".....

If there are security issues with a part from my car, that is manufactured by a parts supplier of my car manufacturer, then my car manufacturer is responsible for fixing this issue for the endconsumer by doing a recall for all those cars affected.....

So Asrock must take action in my opinion, providing a solution/guide eventually to their endconsumers with affected products.


Thank you for mentioning the "Car" example, it is exactly the same situation as the Intel IME issue.

Coincidentally, I just received a paper mail from TK Holdings, a company related to the Takata corporation. Takata is the manufacture of the air bags/air bag inflaters safety system in automobiles that have had problems for the past several years. The mail requested that I check if the cars I own are affected, and to schedule a replacement with the car dealership if necessary. Yes, they are still doing this years after the problem was first discovered, I was surprised.

Takata makes the air bags, the automobile manufactures use them in their vehicles. The automobile manufactures cannot legally fix the airbags themselves, even if they could. They can only use what is provided to them by Takata. Then they will provide the new airbags to their vehicle owners.

Intel makes the IME hardware, firmware, and software. Mother board manufactures cannot fix any of those things themselves legally, even if they had access to the IME hardware designs, and the firmware and software programs, which they don't. They can only use what is provided to them by Intel. Then they will provide the new IME firmware, etc, to the mother board owners.

I never said a mother board manufacture will not provide the IME firmware fix from Intel when it is available.

I said the mother board manufactures are not responsible for the IME problem itself. They also cannot fix the problem with the IME firmware.

They can and will provide the fix for the IME problem when it is given to them by Intel. That is all they can do, and is exactly what they are doing.

We are confusing what the word "provide" means in this situation. Yes, the UEFI/BIOS updates with the IME firmware fix is being provided by mother board manufactures. The IME firmware is one part of the UEFI/BIOS file, and is given to mother board manufactures by Intel. The IME firmware has been updated (for other reasons) several times in the past for many different models of Intel chipset mother boards. Hopefully this fix will be enough, if it isn't then Intel will need to provide another version to the mother board manufactures. The one and only source of the IME firmware is Intel.

The one and only point of my first post about this, is I am frustrated that some mother board users seem to be angry with the mother board manufactures, when they are not responsible for the design and creation of the IME hardware and software, and the problem found with it.

If someone is upset and worried about this problem, the best source of information about it is Intel. Mother board manufactures cannot legally speak for Intel, and are bound by Non-Disclosure Agreements (NDAs). Only Intel can fix this issue. Mother board manufactures can only pass on to us what they are given by Intel. Mother board manufactures are simply the "middle man" in this situation. Being upset with mother board manufactures for causing this problem does not make sense, since they did not cause it.

Yes we could be upset with mother board manufactures if they did not pass on to us the fixed IME firmware, but that is NOT what is happening.

This is the official response page from Intel about this issue:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

Here is the official response from ASRock, and instructions and downloads for the fix:

https://www.asrock.com/microsite/2017IntelFirmware/

This update is NOT a UEFI/BIOS update, but updates the IME firmware ONLY.

PLEASE read the instruction carefully. There are two methods, Windows and DOS bootable.

ONLY the boards in the list on the page MUST use the ME2 download version.

All the 'Z' 100, 200, and 300 series chipset boards MUST use the ME1 download version.



Edited by parsec - 25 Nov 2017 at 12:53pm
Back to Top
Montoya View Drop Down
Newbie
Newbie
Avatar

Joined: 01 Feb 2016
Status: Offline
Points: 26
Post Options Post Options   Thanks (0) Thanks(0)   Quote Montoya Quote  Post ReplyReply Direct Link To This Post Posted: 25 Nov 2017 at 5:15pm
Thanks for the reply Parsec and don't get me wrong, because I completely understand that Asrock is not responsible for the security issue, but they are responsible for examining what they can do in COLLABORATION with Intel for the users of affected products and provide an easy to use guide.

I criticize Asrock only with the fact that the guide they provide, that the pictures that are provided with it, are not readable and that no references are on the main/news/support website, informing users where to find this guide to check if they are affected and how to fix this Intel security issue.

That's not professional and gives most users the impression, that Asrock doesn't take all this seriously.

Why don't they post a message on the download support web page of every affected mainboard, so that users are directed and informed about the Intel security issue, instead of a USER post on this forum where still no official response is to be found....

Because the mainboard support pages, that is where most affected users first look for information/fix, because for example, for my mainboard, Asrock has provided ME updates before into their bios update files.
Fatal1ty Z170 Gaming-ITX/ac, Intel i5-6500, Kingston HyperX Fury 16GB, Samsung 950 Pro 512GB, Fractal Design Core 500, Win10 Pro X64
Back to Top
rico View Drop Down
Newbie
Newbie


Joined: 23 Nov 2017
Status: Offline
Points: 30
Post Options Post Options   Thanks (0) Thanks(0)   Quote rico Quote  Post ReplyReply Direct Link To This Post Posted: 25 Nov 2017 at 8:18pm
Originally posted by lex23 lex23 wrote:

Can someone help me please?

I use a ASRock Z170 Extreme4 and installed the ME-consumer_11.8.50.3425 update.

Now my PC doesn't completely shut down anymore. Monitor turns off, but the computer/fans keep going.


Crap, add me to this list but with Fatal1ty Z170 Gaming K6+ w/i7-6700K. I checked the BIOS and the new 11.8.50.3425 is listed under Advanced\Chipset Configuration page but under Win10 there's doesn't appear to be any drivers for the ME hardware. Maybe that's what's causing the problem?

The Intel-SA-00086 Detection Tool now just reports "Detection Error: This system may be vulnerable, please install the Intel(R) MEI/TXEI driver (available from your system manufacturer).

Intel(R) ME Information

Engine: Intel(R) Management Engine
Version: Unknown
SVN: 0"

Something is keeping my PC awake when shutting down and it started exactly after installing this new ME firmware.

Windows Event Viewer extract of Descriptions:

1. 11:40:02 The process C:\Windows\System32\RuntimeBroker.exe has initiated the power off of computer
 Reason Code: 0x0
 Shut-down Type: power off

2. 11:40:06 The system is entering sleep.

3. 11:40:06 The browser has forced an election on network \Device\NetBT_Tcpip_{99779397-8814-49CE-952C-50ADDE3A2389} because a master browser was stopped.

4. 11:40:07 The system has resumed from sleep.

At this point the monitor goes off and the PC's fans remain powered up. Hitting keys does not wake the system up. Upon manually pulling the power and booting back up again I see this in Event Viewer (System)

11:42:49 The firmware reported boot metrics.

11:42:49 There are 0x1 boot options on this system.

11:42:49 The bootmgr spent 0 ms waiting for user input.

11:42:49 The boot menu policy was 0x1.

11:42:49 The boot type was 0x1.

11:42:51 The system has returned from a low power state.

Sleep Time: ??017????1????5T11:40:06.071483900Z
Wake Time: ??017????1????5T11:42:49.209396700Z

Wake Source: Unknown
Back to Top
Montoya View Drop Down
Newbie
Newbie
Avatar

Joined: 01 Feb 2016
Status: Offline
Points: 26
Post Options Post Options   Thanks (0) Thanks(0)   Quote Montoya Quote  Post ReplyReply Direct Link To This Post Posted: 26 Nov 2017 at 12:30am
Did you had the ME driver package from Asrock installed ?

On my system it was installed and I could succesfully install the security patched firmware ME1 as described by Parsec and on the Asrock info page https://www.asrock.com/microsite/2017IntelFirmware/
Fatal1ty Z170 Gaming-ITX/ac, Intel i5-6500, Kingston HyperX Fury 16GB, Samsung 950 Pro 512GB, Fractal Design Core 500, Win10 Pro X64
Back to Top
Atma View Drop Down
Newbie
Newbie


Joined: 26 Nov 2017
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote Atma Quote  Post ReplyReply Direct Link To This Post Posted: 26 Nov 2017 at 1:11am
I can't update the Intel ME. I have an ASRock X299 Taichi Motherboard and according to the special ME Update Page from ASRock I have to use the ME1 Package. But when I'm running the BAT File for Windows64 I get the following error:

Error 8704: Firmware update operation not initiated due to a SKU mismatch

Can anybody tell me what's the problem here?
Back to Top
rico View Drop Down
Newbie
Newbie


Joined: 23 Nov 2017
Status: Offline
Points: 30
Post Options Post Options   Thanks (0) Thanks(0)   Quote rico Quote  Post ReplyReply Direct Link To This Post Posted: 26 Nov 2017 at 1:15am
Originally posted by Montoya Montoya wrote:

Did you had the ME driver package from Asrock installed ?

On my system it was installed and I could succesfully install the security patched firmware ME1 as described by Parsec and on the Asrock info page https://www.asrock.com/microsite/2017IntelFirmware/


I DID successfully install the ME firmware patch - It's the rest of the system now is the problem because of [now] missing ME drivers.
Back to Top
chilidog23 View Drop Down
Newbie
Newbie


Joined: 26 Nov 2017
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote chilidog23 Quote  Post ReplyReply Direct Link To This Post Posted: 26 Nov 2017 at 9:44am
Originally posted by partofthething partofthething wrote:

I'm happy ASRock posted the links to the fixes on their page. However, I'm a bit distraught that the files are hosted over HTTP instead of HTTPS. Downloads like this really should use TLS to prevent people between the server and the customers from injecting malicious firmware into people's machines.

Meanwhile, those of you who downloaded the files, what SHA1/SHA256 hash did they have? With sha1sum and sha256sum commands, I get:

c5cd9811598492541ff5da850027e698f01afa67  ME-consumer_11.8.50.3425.zip
366ddc9ee99e1641bee6a19554cac3c5ad4f15df8c7bdee63558f22aebe0e19c  ME-consumer_11.8.50.3425.zip


Can anyone confirm? Thanks.

Can confirm my download has the same sha256 hash. But yeah asrock come on, https all the things and put some digital signatures on there, pgp is not that hard to use.
Back to Top
OrpheusXx View Drop Down
Newbie
Newbie


Joined: 26 Nov 2017
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote OrpheusXx Quote  Post ReplyReply Direct Link To This Post Posted: 26 Nov 2017 at 5:29pm
I have installed (i think..., cause it went so fast) the ME1 update from Asrock, followed the instructions, restarded the computer, but the Intel Detection tool still says my system is vulnerable.

Edit: so no it did not install, but created an error.txt in the folder saying: " Error 8771: Invalid File. "





Edited by OrpheusXx - 26 Nov 2017 at 5:35pm
Back to Top
Montoya View Drop Down
Newbie
Newbie
Avatar

Joined: 01 Feb 2016
Status: Offline
Points: 26
Post Options Post Options   Thanks (0) Thanks(0)   Quote Montoya Quote  Post ReplyReply Direct Link To This Post Posted: 26 Nov 2017 at 7:24pm
Originally posted by rico rico wrote:


I DID successfully install the ME firmware patch - It's the rest of the system now is the problem because of [now] missing ME drivers.

That was not my question, I was refering to the Intel Management Engine driver, that is on your download page of your mainboard.

http://www.asrock.com/mb/Intel/Fatal1ty%20Z170%20Gaming%20K6+/index.us.asp#Download
Fatal1ty Z170 Gaming-ITX/ac, Intel i5-6500, Kingston HyperX Fury 16GB, Samsung 950 Pro 512GB, Fractal Design Core 500, Win10 Pro X64
Back to Top
 Post Reply Post Reply Page  <1 34567 8>
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2018 Web Wiz Ltd.

This page was generated in 0.063 seconds.