Intel Management Engine vulnerability SA-00086

Montoya wrote: parsec wrote: Why are you asking a mother board manufacture about a problem with a product they do not manufacture or sell? Why is a mother board manufacture responsible for any potential or existing flaw in a product they have not designed, manufactured, or marketed? Replace the words "mother board" with "Car"..... If there are security issues with a part from my car, that is manufactured by a parts supplier of my car manufacturer, then my car manufacturer is responsible for fixing this issue for the endconsumer by doing a recall for all those cars affected..... So Asrock must take action in my opinion, providing a solution/guide eventually to their endconsumers with affected products.

Thank you for mentioning the "Car" example, it is exactly the same situation as the Intel IME issue.

Coincidentally, I just received a paper mail from TK Holdings, a company related to the Takata corporation. Takata is the manufacture of the air bags/air bag inflaters safety system in automobiles that have had problems for the past several years. The mail requested that I check if the cars I own are affected, and to schedule a replacement with the car dealership if necessary. Yes, they are still doing this years after the problem was first discovered, I was surprised.

Takata makes the air bags, the automobile manufactures use them in their vehicles. The automobile manufactures cannot legally fix the airbags themselves, even if they could. They can only use what is provided to them by Takata. Then they will provide the new airbags to their vehicle owners.

Intel makes the IME hardware, firmware, and software. Mother board manufactures cannot fix any of those things themselves legally, even if they had access to the IME hardware designs, and the firmware and software programs, which they don't. They can only use what is provided to them by Intel. Then they will provide the new IME firmware, etc, to the mother board owners.

I never said a mother board manufacture will not provide the IME firmware fix from Intel when it is available.

I said the mother board manufactures are not responsible for the IME problem itself. They also cannot fix the problem with the IME firmware.

They can and will provide the fix for the IME problem when it is given to them by Intel. That is all they can do, and is exactly what they are doing.

We are confusing what the word "provide" means in this situation. Yes, the UEFI/BIOS updates with the IME firmware fix is being provided by mother board manufactures. The IME firmware is one part of the UEFI/BIOS file, and is given to mother board manufactures by Intel. The IME firmware has been updated (for other reasons) several times in the past for many different models of Intel chipset mother boards. Hopefully this fix will be enough, if it isn't then Intel will need to provide another version to the mother board manufactures. The one and only source of the IME firmware is Intel.

The one and only point of my first post about this, is I am frustrated that some mother board users seem to be angry with the mother board manufactures, when they are not responsible for the design and creation of the IME hardware and software, and the problem found with it.

If someone is upset and worried about this problem, the best source of information about it is Intel. Mother board manufactures cannot legally speak for Intel, and are bound by Non-Disclosure Agreements (NDAs). Only Intel can fix this issue. Mother board manufactures can only pass on to us what they are given by Intel. Mother board manufactures are simply the "middle man" in this situation. Being upset with mother board manufactures for causing this problem does not make sense, since they did not cause it.

Yes we could be upset with mother board manufactures if they did not pass on to us the fixed IME firmware, but that is NOT what is happening.

This is the official response page from Intel about this issue:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

Here is the official response from ASRock, and instructions and downloads for the fix:

https://www.asrock.com/microsite/2017IntelFirmware/

This update is NOT a UEFI/BIOS update, but updates the IME firmware ONLY.

PLEASE read the instruction carefully. There are two methods, Windows and DOS bootable.

ONLY the boards in the list on the page MUST use the ME2 download version.

All the 'Z' 100, 200, and 300 series chipset boards MUST use the ME1 download version.



Edited by parsec - 25 Nov 2017 at 12:53pm

lex23 wrote: Can someone help me please? I use a ASRock Z170 Extreme4 and installed the ME-consumer_11.8.50.3425 update. Now my PC doesn't completely shut down anymore. Monitor turns off, but the computer/fans keep going.

Crap, add me to this list but with Fatal1ty Z170 Gaming K6+ w/i7-6700K. I checked the BIOS and the new 11.8.50.3425 is listed under Advanced\Chipset Configuration page but under Win10 there's doesn't appear to be any drivers for the ME hardware. Maybe that's what's causing the problem?

The Intel-SA-00086 Detection Tool now just reports "Detection Error: This system may be vulnerable, please install the Intel(R) MEI/TXEI driver (available from your system manufacturer).

Intel(R) ME Information

Engine: Intel(R) Management Engine
Version: Unknown
SVN: 0"

Something is keeping my PC awake when shutting down and it started exactly after installing this new ME firmware.

Windows Event Viewer extract of Descriptions:

1. 11:40:02 The process C:\Windows\System32\RuntimeBroker.exe has initiated the power off of computer
 Reason Code: 0x0
 Shut-down Type: power off

2. 11:40:06 The system is entering sleep.

3. 11:40:06 The browser has forced an election on network \Device\NetBT_Tcpip_{99779397-8814-49CE-952C-50ADDE3A2389} because a master browser was stopped.

4. 11:40:07 The system has resumed from sleep.

At this point the monitor goes off and the PC's fans remain powered up. Hitting keys does not wake the system up. Upon manually pulling the power and booting back up again I see this in Event Viewer (System)

11:42:49 The firmware reported boot metrics.

11:42:49 There are 0x1 boot options on this system.

11:42:49 The bootmgr spent 0 ms waiting for user input.

11:42:49 The boot menu policy was 0x1.

11:42:49 The boot type was 0x1.

11:42:51 The system has returned from a low power state.

Sleep Time: ??017????1????5T11:40:06.071483900Z
Wake Time: ??017????1????5T11:42:49.209396700Z

Wake Source: Unknown

I can't update the Intel ME. I have an ASRock X299 Taichi Motherboard and according to the special ME Update Page from ASRock I have to use the ME1 Package. But when I'm running the BAT File for Windows64 I get the following error:

partofthething wrote: I'm happy ASRock posted the links to the fixes on their page. However, I'm a bit distraught that the files are hosted over HTTP instead of HTTPS. Downloads like this really should use TLS to prevent people between the server and the customers from injecting malicious firmware into people's machines. Meanwhile, those of you who downloaded the files, what SHA1/SHA256 hash did they have? With sha1sum and sha256sum commands, I get: c5cd9811598492541ff5da850027e698f01afa67  ME-consumer_11.8.50.3425.zip 366ddc9ee99e1641bee6a19554cac3c5ad4f15df8c7bdee63558f22aebe0e19c  ME-consumer_11.8.50.3425.zip Can anyone confirm? Thanks.

rico wrote: I DID successfully install the ME firmware patch - It's the rest of the system now is the problem because of [now] missing ME drivers.