Intel Management Engine vulnerability SA-00086

All back up and running again after re-flashing my BIOS (latest for my board v7.20 over v7.20) from DOS. lex23, I suggest you do the same as you and I had the same issue with PC not powering off on shutdown after this ME patch.

One of the stages of flashing my BIOS was ME firmware installation so that put mine back to 11.6.0.1126 which is vulnerable ("This system is vulnerable" according to INTEL-SA-00086 Detection Tool) but is, more importantly, functional.

I'll wait for ASRock to post something official for my board, Fatal1ty Z170 Gaming K6+ w/i7-6700K.

partofthething wrote: I'm happy ASRock posted the links to the fixes on their page. However, I'm a bit distraught that the files are hosted over HTTP instead of HTTPS. Downloads like this really should use TLS to prevent people between the server and the customers from injecting malicious firmware into people's machines. Meanwhile, those of you who downloaded the files, what SHA1/SHA256 hash did they have? With sha1sum and sha256sum commands, I get: c5cd9811598492541ff5da850027e698f01afa67  ME-consumer_11.8.50.3425.zip 366ddc9ee99e1641bee6a19554cac3c5ad4f15df8c7bdee63558f22aebe0e19c  ME-consumer_11.8.50.3425.zip Can anyone confirm? Thanks.

Edited by daddyo - 28 Nov 2017 at 3:56am

After my earlier woes with this patch I raised the issue with ASRock Technical Support. They suggested clearing my CMOS as a remedy but seeing as I'd already sorted myself out by re-flashing my BIOS I decided to try again this evening. This time I used the DOS flasher on a bootable USB drive and all worked perfectly - no CMOS clearing required.

tldr: Windows flasher bad. DOS flasher good.

Hi everyone. I still haven't been able to resolve my HDCP 2.2 issue. As expected, nobody's really telling me anything useful. For now, if playback of Ultra HD discs is important, please don't apply ASRock's patch until this gets sorted out.

That said, would somebody with the Z370 Gaming-ITX/ac board be able to do me a big favor? If you haven't updated the ME firmware yet, could you download and run the MEInfo tool (https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html) and post the results here? For an apples-to-apples comparison, you'll need to have the 11.7.4.3314 drivers installed from ASRock's support page for the board (https://www.asrock.com/MB/Intel/Fatal1ty%20Z370%20Gaming-ITXac/index.us.asp#Download), you'll also need to have SGX enabled ("Enabled," not "Software Controlled" or whatever) in the UEFI, and it'd help to have the 1.11 UEFI installed. For reference, I've pasted below my results after the patch has been applied.

Thanks.

------------

Intel(R) MEInfo Version: 11.6.25.1229

Copyright(C) 2005 - 2017, Intel Corporation. All rights reserved.

 

 

 

Intel(R) ME code versions:

 

BIOS Version                                 L1.11

MEBx Version                                 0.0.0.0000

GbE Version                                  0.2

Vendor ID                                    8086

PCH Version                                  0

FW Version                                   11.8.50.3425 H

LMS Version                                  11.7.0.1037

MEI Driver Version                           11.7.0.1032

Wireless Hardware Version                    2.1.77

Wireless Driver Version                      20.10.2.2

 

FW Capabilities                              0x31101140

 

    Intel(R) Capability Licensing Service - PRESENT/ENABLED

    Protect Audio Video Path - PRESENT/ENABLED

    Intel(R) Dynamic Application Loader - PRESENT/ENABLED

    Intel(R) Platform Trust Technology - PRESENT/DISABLED

 

TLS                                          Disabled

Last ME reset reason                         Firmware reset

Local FWUpdate                               Enabled

BIOS Config Lock                             Enabled

GbE Config Lock                              Enabled

Host Read Access to ME                       Enabled

Host Write Access to ME                      Disabled

Host Read Access to EC                       Disabled

Host Write Access to EC                      Disabled

SPI Flash ID 1                               C22018

SPI Flash ID 2                               Unknown

BIOS boot State                              Post Boot

OEM ID                                       00000000-0000-0000-0000-000000000000

Capability Licensing Service                 Enabled

OEM Tag                                      0x00000000

Slot 1 Board Manufacturer                    0x00000000

Slot 2 System Assembler                      0x00000000

Slot 3 Reserved                              0x00000000

M3 Autotest                                  Disabled

C-link Status                                Disabled

Independent Firmware Recovery                Disabled

EPID Group ID                                0xFFB

LSPCON Ports                                 None

5K Ports                                     None

OEM Public Key Hash FPF                      0000000000000000000000000000000000000000000000000000000000000000

OEM Public Key Hash ME                       0000000000000000000000000000000000000000000000000000000000000000

ACM SVN FPF                                  0x0

KM SVN FPF                                   0x0

BSMM SVN FPF  &nbs

Edited by flashback8 - 30 Nov 2017 at 5:23am

rico wrote: Can't help you there as I've a Z170 board but if you're up for a minor adventure I'd suggest you try the latest ME drivers from here: https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html

Can't do it. Intel won't let you downgrade ME firmware. ("Error 8805" and then something about the SVN (Security Version Number) preventing it.)