ASRock.com Homepage
Forum Home Forum Home > Technical Support > Intel Motherboards
  New Posts New Posts RSS Feed - Intel Management Engine vulnerability SA-00086
  FAQ FAQ  Forum Search Search  Events   Register Register  Login Login

Intel Management Engine vulnerability SA-00086

 Post Reply Post Reply Page  <1 45678>
Author
Message
rico View Drop Down
Newbie
Newbie


Joined: 23 Nov 2017
Status: Offline
Points: 30
Post Options Post Options   Thanks (0) Thanks(0)   Quote rico Quote  Post ReplyReply Direct Link To This Post Posted: 26 Nov 2017 at 9:37pm
Originally posted by Montoya Montoya wrote:

That was not my question, I was refering to the Intel Management Engine driver, that is on your download page of your mainboard.



If only is were that simple. Those drivers won't install any more (there were installed before) and now running EITHER the Windows FW updater FWUpdLcl64.exe OR the DOS version FWUpdLcl.exe returns an error:

Error 8743: Unknown or Unsupported Platform
Cannot locate hardware platform identification
This program cannot be run on the current platform.

That error is from the same tool that updated the ME firmware in the first place!. Intel Management Engine was greyed out in Device Manager after updating so I removed it but that didn't help either.

I think I might need a new BIOS release to match this ME update.


Edited by rico - 26 Nov 2017 at 10:25pm
Back to Top
rico View Drop Down
Newbie
Newbie


Joined: 23 Nov 2017
Status: Offline
Points: 30
Post Options Post Options   Thanks (0) Thanks(0)   Quote rico Quote  Post ReplyReply Direct Link To This Post Posted: 26 Nov 2017 at 11:59pm
All back up and running again after re-flashing my BIOS (latest for my board v7.20 over v7.20) from DOS. lex23, I suggest you do the same as you and I had the same issue with PC not powering off on shutdown after this ME patch.

One of the stages of flashing my BIOS was ME firmware installation so that put mine back to 11.6.0.1126 which is vulnerable ("This system is vulnerable" according to INTEL-SA-00086 Detection Tool) but is, more importantly, functional.

I'll wait for ASRock to post something official for my board, Fatal1ty Z170 Gaming K6+ w/i7-6700K.

Back to Top
daddyo View Drop Down
Newbie
Newbie
Avatar

Joined: 30 Oct 2017
Status: Offline
Points: 54
Post Options Post Options   Thanks (0) Thanks(0)   Quote daddyo Quote  Post ReplyReply Direct Link To This Post Posted: 28 Nov 2017 at 3:02am
Originally posted by Montoya Montoya wrote:

Looks very unprofessional and suspicious what Asrock has come up with for their customers with affected products, providing a link that is nowhere referenced on main page, news page or support pages....

Looks like Asus is the only one my shopping list, for replacing my old Z170 mainboard, because they prove right now, to handle security issues professionally, like it always should be !!!

I'm waiting a bit longer to cast my vote on this as well. Security is not to be taken lightly. The use of official servers for patches and communication is a cornerstone principle. 

And by the way, I don't see anyone getting "angry" at Asrock on this thread. My posts are out of concern with this issue and with constructive intent.  People chiming in in their own way are justified to do so when Asrock hasn't issued a clear response yet. 

Most people are ok with waiting for a patch as long as they know it's coming. It is easy to interpret Asrock's silence + published patches for 300 series motherboards as ignoring the older models that are affected. So, hence the concern. A simple notice on the website saying that further fixes are underway would suffice. While it appears there is a microsite addressing the issue, I only found it by following this forum thread, and not on Asrock's main support page. Perhaps the communications should be a bit more streamlined? Again, this raises the valid concern that someone out there could create a fake patching site to further exploit the situation. I'm only trying to provide constructive criticism here.


Edited by daddyo - 28 Nov 2017 at 4:01am
Back to Top
daddyo View Drop Down
Newbie
Newbie
Avatar

Joined: 30 Oct 2017
Status: Offline
Points: 54
Post Options Post Options   Thanks (0) Thanks(0)   Quote daddyo Quote  Post ReplyReply Direct Link To This Post Posted: 28 Nov 2017 at 3:54am
Originally posted by partofthething partofthething wrote:

I'm happy ASRock posted the links to the fixes on their page. However, I'm a bit distraught that the files are hosted over HTTP instead of HTTPS. Downloads like this really should use TLS to prevent people between the server and the customers from injecting malicious firmware into people's machines.

Meanwhile, those of you who downloaded the files, what SHA1/SHA256 hash did they have? With sha1sum and sha256sum commands, I get:

c5cd9811598492541ff5da850027e698f01afa67  ME-consumer_11.8.50.3425.zip
366ddc9ee99e1641bee6a19554cac3c5ad4f15df8c7bdee63558f22aebe0e19c  ME-consumer_11.8.50.3425.zip


Can anyone confirm? Thanks.

This link is dead. Can't reach it?
https://www.asrock.com/microsite/2017IntelFirmware/


Edited by daddyo - 28 Nov 2017 at 3:56am
Back to Top
rico View Drop Down
Newbie
Newbie


Joined: 23 Nov 2017
Status: Offline
Points: 30
Post Options Post Options   Thanks (0) Thanks(0)   Quote rico Quote  Post ReplyReply Direct Link To This Post Posted: 28 Nov 2017 at 4:42am
Originally posted by daddyo daddyo wrote:

This link is dead. Can't reach it?
https://www.asrock.com/microsite/2017IntelFirmware/


Link is not dead - I can see it fine:

ctrl-c, ctrl-v

Advisory note: Intel Q3'17 ME 11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update
Reference: Intel security vulnerabilities (INTEL-SA-00086)
In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of its Intel® Management Engine (ME), Intel® Trusted Execution Engine (TXE), and Intel® Server Platform Services (SPS) with the objective of enhancing firmware resilience.

As a result, Intel has identified several security vulnerabilities that could potentially place impacted platforms at risk. Systems using ME Firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are impacted. ASRock and Intel highly recommend that all customers install updated firmware and Intel® Capability License Service on impacted platforms.

For more detailed information please refer to the Intel web site:
https://security-center.intel.com/
Affected ASRock Products:
Intel 100, 200, 300
ME1 ME2

If your model Intel 100/200/300 series but not in the following list, please download ME1 package
If your model is Q170 series or in the following list, please download ME2 package


B150 Combo
B150 Gaming K4
B150 Gaming K4_D3
B150M Combo-G
B150M Pro4
B150M Pro4S
B150M Pro4V
B150M Pro4_D3
B150M Pro4_Hyper
B150M-HDV
B150M-HDV_D3
B150M-ITX
B150M-PIO
B150M-PIO2
H170 Combo
H170 Pro4_D3
H170 Combo
H170 Pro4_D3
H170 Pro4
H170 Pro4S
H170 Performance_D3
H170 Performance_ Hyper
H170 Pro4_Hyper
H170M Pro4
H170M-ITX_ac
H170M-ITX_DL
B150M Pro4S_D3
B150M-ITX_D3
H170 Performance
H170M Pro4S
Back to Top
rico View Drop Down
Newbie
Newbie


Joined: 23 Nov 2017
Status: Offline
Points: 30
Post Options Post Options   Thanks (0) Thanks(0)   Quote rico Quote  Post ReplyReply Direct Link To This Post Posted: 29 Nov 2017 at 5:12am
After my earlier woes with this patch I raised the issue with ASRock Technical Support. They suggested clearing my CMOS as a remedy but seeing as I'd already sorted myself out by re-flashing my BIOS I decided to try again this evening. This time I used the DOS flasher on a bootable USB drive and all worked perfectly - no CMOS clearing required.

tldr: Windows flasher bad. DOS flasher good.
Back to Top
romf View Drop Down
Newbie
Newbie


Joined: 23 Nov 2017
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote romf Quote  Post ReplyReply Direct Link To This Post Posted: 29 Nov 2017 at 10:04am
Bad luck for me, i just tried the USB bootable disk flashing method but with no success.

I got this message : (IME driver version 11.6.0.1026 already installed on my pc)

ERROR 8705 : Firmware update not initiated  due to version mismatch..


Oh well, i will try the windows method another time maybe, i don't feel like flashing my BIOS, reset the CMOS right now.. Ermm
Back to Top
flashback8 View Drop Down
Newbie
Newbie


Joined: 24 Nov 2017
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote flashback8 Quote  Post ReplyReply Direct Link To This Post Posted: 30 Nov 2017 at 5:22am
Hi everyone. I still haven't been able to resolve my HDCP 2.2 issue. As expected, nobody's really telling me anything useful. For now, if playback of Ultra HD discs is important, please don't apply ASRock's patch until this gets sorted out.

That said, would somebody with the Z370 Gaming-ITX/ac board be able to do me a big favor? If you haven't updated the ME firmware yet, could you download and run the MEInfo tool (https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html) and post the results here? For an apples-to-apples comparison, you'll need to have the 11.7.4.3314 drivers installed from ASRock's support page for the board (https://www.asrock.com/MB/Intel/Fatal1ty%20Z370%20Gaming-ITXac/index.us.asp#Download), you'll also need to have SGX enabled ("Enabled," not "Software Controlled" or whatever) in the UEFI, and it'd help to have the 1.11 UEFI installed. For reference, I've pasted below my results after the patch has been applied.

Thanks.

------------

Intel(R) MEInfo Version: 11.6.25.1229

Copyright(C) 2005 - 2017, Intel Corporation. All rights reserved.

 

 

 

Intel(R) ME code versions:

 

BIOS Version                                 L1.11

MEBx Version                                 0.0.0.0000

GbE Version                                  0.2

Vendor ID                                    8086

PCH Version                                  0

FW Version                                   11.8.50.3425 H

LMS Version                                  11.7.0.1037

MEI Driver Version                           11.7.0.1032

Wireless Hardware Version                    2.1.77

Wireless Driver Version                      20.10.2.2

 

FW Capabilities                              0x31101140

 

    Intel(R) Capability Licensing Service - PRESENT/ENABLED

    Protect Audio Video Path - PRESENT/ENABLED

    Intel(R) Dynamic Application Loader - PRESENT/ENABLED

    Intel(R) Platform Trust Technology - PRESENT/DISABLED

 

TLS                                          Disabled

Last ME reset reason                         Firmware reset

Local FWUpdate                               Enabled

BIOS Config Lock                             Enabled

GbE Config Lock                              Enabled

Host Read Access to ME                       Enabled

Host Write Access to ME                      Disabled

Host Read Access to EC                       Disabled

Host Write Access to EC                      Disabled

SPI Flash ID 1                               C22018

SPI Flash ID 2                               Unknown

BIOS boot State                              Post Boot

OEM ID                                       00000000-0000-0000-0000-000000000000

Capability Licensing Service                 Enabled

OEM Tag                                      0x00000000

Slot 1 Board Manufacturer                    0x00000000

Slot 2 System Assembler                      0x00000000

Slot 3 Reserved                              0x00000000

M3 Autotest                                  Disabled

C-link Status                                Disabled

Independent Firmware Recovery                Disabled

EPID Group ID                                0xFFB

LSPCON Ports                                 None

5K Ports                                     None

OEM Public Key Hash FPF                      0000000000000000000000000000000000000000000000000000000000000000

OEM Public Key Hash ME                       0000000000000000000000000000000000000000000000000000000000000000

ACM SVN FPF                                  0x0

KM SVN FPF                                   0x0

BSMM SVN FPF  &nbs

Edited by flashback8 - 30 Nov 2017 at 5:23am

Back to Top
rico View Drop Down
Newbie
Newbie


Joined: 23 Nov 2017
Status: Offline
Points: 30
Post Options Post Options   Thanks (0) Thanks(0)   Quote rico Quote  Post ReplyReply Direct Link To This Post Posted: 30 Nov 2017 at 6:45am
Can't help you there as I've a Z170 board but if you're up for a minor adventure I'd suggest you try the latest ME drivers from here: https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html

The so-called "11.7.4.3314 drivers" you mention are actually v11.7.0.1032. You can see it yourself in mup.xml in the ME(v11.7.4.3314_SW).zip archive:

<driverversion>11.7.0.1032</driverversion>

I have a Z170 board and successfully installed v11.7.0.1045 which is actually called "Intel MEI Driver v11.7.0.1050 MEI-Only Installer" in the link above.

Maybe a driver update will sort you out?

Back to Top
flashback8 View Drop Down
Newbie
Newbie


Joined: 24 Nov 2017
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote flashback8 Quote  Post ReplyReply Direct Link To This Post Posted: 30 Nov 2017 at 2:21pm
Originally posted by rico rico wrote:

Can't help you there as I've a Z170 board but if you're up for a minor adventure I'd suggest you try the latest ME drivers from here: https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html


Can't do it. Intel won't let you downgrade ME firmware. ("Error 8805" and then something about the SVN (Security Version Number) preventing it.)
Back to Top
 Post Reply Post Reply Page  <1 45678>
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.04
Copyright ©2001-2021 Web Wiz Ltd.

This page was generated in 0.641 seconds.