Intel Management Engine vulnerability SA-00086
Printed From: ASRock.com
Category: Technical Support
Forum Name: Intel Motherboards
Forum Description: Question about ASRock Intel Motherboards
URL: https://forum.asrock.com/forum_posts.asp?TID=6667
Printed Date: 22 Nov 2024 at 1:38am
Software Version: Web Wiz Forums 12.04 - http://www.webwizforums.com
Topic: Intel Management Engine vulnerability SA-00086
Posted By: Arukado_
Subject: Intel Management Engine vulnerability SA-00086
Date Posted: 22 Nov 2017 at 3:19am
|
" rel="nofollow - Hello all, can we have official statment from Asrock about Intel® Management Engine vulnerability (Intel-SA-00086)?? I searched for it today in google and only thing that I found related to asrock is post on win-raid forum in which some guy calims that he got response from asrock and it does'nt looks good. https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools-232.html#msg43790 Thanks for your mail to remind us about the call to action from Intel. We are aware that Intel has recently suggested ODM/user/MB Manufacture to update the corresponding ME version to fix the security flaw in their Management Engine (ME). According to Intel's announcement, this flaw only appears in ?�Corporate ME??which with AMT function. As ours H97 Pro4 Motherboard is using the ?�Consumer ME??in our BIOS code, so there's no such concern on this case. Please don't worry about it. So since my Asrock Z170M Extreme4 is detected as affected and vulnerable. That's propably because this vulnerability is related to IME not only to "Corporate ME" and even Lenovo made a lot of patche to their pc / latops so imho this post is fake or just some unexperinced person form support made this reply so please Asrock let us know when we recive paches. Intel detection tool: https://downloadcenter.intel.com/download/27150 Intel vulnerability site: https://www.intel.com/content/www/us/en/support/articles/000025619/software.html Kind regards |
Replies:
Posted By: daddyo
Date Posted: 22 Nov 2017 at 10:33am
|
All computers based on intel 6th, 7th, and 8th gen. are affected. That means all Skylake, Kaby Lake, and Coffee Lake based computers, and others as well. This is a serious security flaw that needs addressing.
|
Posted By: parsec
Date Posted: 22 Nov 2017 at 12:35pm
Why are you asking a mother board manufacture about a problem with a product they do not manufacture or sell? Why is a mother board manufacture responsible for any potential or existing flaw in a product they have not designed, manufactured, or marketed? Any fix for this situation can only come from Intel. A mother board manufacture cannot and should not speak for Intel about this situation. Intel is the best and only true source for any information about this situation. Have you posted a question in Intel's processor forum about this? ------------- http://valid.x86.fr/48rujh" rel="nofollow"> 
|
Arukado_ wrote:Posted By: Arukado_
Date Posted: 22 Nov 2017 at 5:00pm
Have you read anything on Intel's website about this vulnerability? I don't think so Intel is aware of this vulnerability and the solution is to upgrade ME to newer version which can be done by BIOS upgrade i think. Dell and Lenovo already made a statement about this and working on new BIOS / firmware updates.
There's no problem with Intel's processor it's a problem with Intel's chipset and moreover firmware update should be deployed by system manufacturers as Intel said. So instead of being smart-ass and telling me to post something on Intel forum maybe next time read the whole post and then research topic a little more cos as I wrote in my first post Intel already told us to go to ours system manufacturers and Dell and Lenovo respond quickly. Furthermore why "we" and by "we" I ment users have to deal with this kind of attitude from manufacturers? I should not care which problem is this Intel's or Asrock's! This two company should talk with each other and give theirs customers working solution. More topics about this vulnerability occured on internet: https://rog.asus.com/forum/showthread.php%3F97618-When-will-we-see-firmware-updates-for-INTEL-SA-00086-for-X299" rel="nofollow - https://rog.asus.com/forum/showthread.php%3F97618-When-will-we-see-firmware-updates-for-INTEL-SA-00086-for-X299 http://www.ocdrift.com/gigabyte-implements-safety-measures-against-intel-me-and-txe-security-vulnerabilities/" rel="nofollow - http://www.ocdrift.com/gigabyte-implements-safety-measures-against-intel-me-and-txe-security-vulnerabilities/ |
Posted By: J Z
Date Posted: 22 Nov 2017 at 9:10pm
|
" rel="nofollow - Hello, see -> http://forum.asrock.com/forum_posts.asp?TID=6676&title=wichtig-intel-mei-firmware-v118503425 ------------- Kind Regards, JZ https://shop.JZelectronic.de - Der Shop mit ausgesuchter ASRock Profi Hardware https://www.facebook.com/asrock.de |
Posted By: Arukado_
Date Posted: 23 Nov 2017 at 1:25am
Thanks JZ but I'll stick to that same statment as soulstealer made on original topic:
FWUpdLcl64 file is of course Intels flasher but nobody knows what is inside bin file. As far as we know this file can by legit or it can be another type od vulnerability just pretending to be the pacht. So if it's works Asrock should post it on their website. |
Posted By: soulstealer
Date Posted: 23 Nov 2017 at 1:53am
yeah, thank you. i agree with you, this issue is not be taken lightly. i would argue that actually this is a production flaw in terms of warranty.
|
Posted By: japau
Date Posted: 23 Nov 2017 at 2:07am
|
Hi JZ, Downloaded the file and followed the installation (windows64) like in youtube but it doesnt want to install on Z370 Taichi with BIOS 1.20 Error log as follows, Error 8193: Fail to load MEI device driver (PCI access for Windows) Above error is often caused by one of below reasons: Administrator privilege needed for running the tool ME is in an error state causing MEI driver fail MEI driver is not installed |
Posted By: Arukado_
Date Posted: 23 Nov 2017 at 2:09am
" rel="nofollow -
Some hint in there. Did you run it with admin priviliges? |
Posted By: daddyo
Date Posted: 23 Nov 2017 at 2:09am
|
It was surprising to see how patronizing a moderator was regarding this issue. For those who have NOT read Intel's statement yet, they clearly have placed the initiative to resolve this serious security hole on the OEM providers, which Asrock would be in the case of motherboards. Considering that any consumer Intel CPU made since fall of 2015 is affected, you can expect there will be attempts to make use of this vulnerability wherever it is unpatched. I await Asrock's official response. -- Edit-- I did notice on their website that ME engine and CPU microcode updates have been released on some server motherboards, and 300 series chipset based motherboards... I hope more will come! I just bought my z270 extreme4 a month ago. I would expect them to issue updates for 200 and 100 series motherboards as well.
|
Posted By: soulstealer
Date Posted: 23 Nov 2017 at 3:39am
sorry, but is this asrock official? we just need some clarity.
|
Posted By: Kathrys
Date Posted: 23 Nov 2017 at 10:34am
|
Most motherboard manufacturers have already issued an update about incoming BIOS and software updates and we get silence? I guess my next MB won't be an Asrock.  |
Posted By: parsec
Date Posted: 23 Nov 2017 at 12:56pm
" rel="nofollow -
From the start of this, it was obvious that the only simple method of fixing this issue, is via a UEFI/BIOS update. The articles about this have very little detail, and are not definitive statements from Intel. MY frustration is the mother board manufacture, ASRock in this case, being taken to task and at best blamed for the fix not being available immediately. My main point only is, ASRock and all the other mother board manufactures are not responsible for this issue. Is that true or false? We already see the angry posts in this thread, which is so frustrating. Yes, the mother board manufactures are stuck with the responsibility of providing the fix for this issue. But they did not create the IME hardware and software, any more than they manufacture the processors used in a mother board. So why are people mad at ASRock? They want a statement from ASRock, but what do they want it to say? That ASRock will provide the UEFI/BIOS updates? Of course, that is obvious and reasonable. How could any mother board manufacture not do that, provide the updates? I do not officially speak for ASRock in this case, but I'm sure as I can be that the UEFI/BIOS updates will be available. I'm surprised anyone is concerned about the updates not being provided. Not providing the fix in a UEFI/BIOS update would alone be a huge PR disaster. ------------- http://valid.x86.fr/48rujh" rel="nofollow">
|
Posted By: J Z
Date Posted: 23 Nov 2017 at 4:01pm
Hello, It is official and you can see the address from the link and it comes from ASRock only in advance and soon on the ASRock website  ------------- Kind Regards, JZ https://shop.JZelectronic.de - Der Shop mit ausgesuchter ASRock Profi Hardware https://www.facebook.com/asrock.de |
Posted By: romf
Date Posted: 23 Nov 2017 at 4:31pm
|
Forgive this dumb post, i just want to be notified of further announcements/posts here regarding this issue.
|
Posted By: Arukado_
Date Posted: 23 Nov 2017 at 4:48pm
" rel="nofollow -
No my friend we not blame anyone for that. Your first post was like "go away and complain on Intels forum". Zero empathy means for some zero professional behavior. If we had similar statement from Asrock as from other manufacturers for example "we are aware of this issue and we're working on fix ETA=XXX" nobody would be angry.
Yup that's true. The flaw is in ME but since Intel said go to your oem manufacturer cos you need bios update Asrock owners simply came here.
Cos there's no statement? Complete silence? And your first post? And answers from technical support like this one from raid-win forum which I pasted at the begging?
That's exactly what we need / want.
Put yourself in other people shoes. They saw my post and your replay to it so .... what they suppose to think? To summarize we all know that this kind of thing takes time. But why Asrock can't just inform their customers that company already working to provide patches etc. For example my friend which have Asus Z170 plus got his patch yesterday. Furthermore JZ claims that in his post there's official Asrock solution so WTF? Is it or is it not? Have a good day! |
Posted By: Arukado_
Date Posted: 23 Nov 2017 at 4:52pm
No no no JZ. Post is on Asrock forum but link with zip file which you provided http://asrock.pc.cdn.bitgravity.com/TSD/ME-consumer_11.8.50.3425.zip have Asrock in name but domain is totally different so from my point of view its not legit. |
Posted By: J Z
Date Posted: 23 Nov 2017 at 6:17pm
|
I'm sorry I wanted to help, then wait until it appears on the ASRock website. Other manufacturers have not provided anything official ------------- Kind Regards, JZ https://shop.JZelectronic.de - Der Shop mit ausgesuchter ASRock Profi Hardware https://www.facebook.com/asrock.de |
Posted By: rico
Date Posted: 23 Nov 2017 at 7:10pm
That's not entirely true though. My work laptop is a Lenovo ThinkPad T560 which the tool identified as already patched as are a whole lot of other models (but not all affected): https://support.lenovo.com/ie/en/product_security/len-17297" rel="nofollow - https://support.lenovo.com/ie/en/product_security/len-17297
Not complaining but would reiterate OP's request for a comment on the matter. I'm not expecting a patch by the end of the day! Fatal1ty Z170 Gaming K6+ owner. |
Posted By: Arukado_
Date Posted: 23 Nov 2017 at 7:14pm
That's no true at all. For example my friend patch his mobo yesterday. https://www.asus.com/pl/Motherboards/Z170M-PLUS/HelpDesk_BIOS/ Patch from yesterday MEUpdateTool |
Posted By: J Z
Date Posted: 23 Nov 2017 at 7:32pm
|
Yesterday -> MEUpdateTool -> ASRock -> Download -> http://asrock.pc.cdn.bitgravity.com/TSD/ME-consumer_11.8.50.3425.zip" rel="nofollow - http://asrock.pc.cdn.bitgravity.com/TSD/ME-consumer_11.8.50.3425.zip ------------- Kind Regards, JZ https://shop.JZelectronic.de - Der Shop mit ausgesuchter ASRock Profi Hardware https://www.facebook.com/asrock.de |
Posted By: Arukado_
Date Posted: 23 Nov 2017 at 7:39pm
JZ once again are you seeing the difference between these two: Asus patch - > https://www.asus.com/en/Motherboards/Z170M-PLUS/HelpDesk_BIOS/ Your Asrock wannabe patch -> http://asrock.pc.cdn.bitgravity.com/TSD/ME-consumer_11.8.50.3425.zip Till Asrock place it on their official website it's not official. |
Posted By: J Z
Date Posted: 23 Nov 2017 at 7:49pm
|
Coming soon
------------- Kind Regards, JZ https://shop.JZelectronic.de - Der Shop mit ausgesuchter ASRock Profi Hardware https://www.facebook.com/asrock.de |
Posted By: soulstealer
Date Posted: 23 Nov 2017 at 9:36pm
i must correct this, jz is actually right, the link provided is really from asrock, because i have received a email from asrock support with the same adress.
|
Posted By: soulstealer
Date Posted: 23 Nov 2017 at 9:38pm
i have a h170 fatality performance (not d3, not hyper), do i install the corporate or consumer firmware? i suppose they each require different drivers, too?
|
Posted By: EdTittel
Date Posted: 23 Nov 2017 at 10:54pm
|
According to the TenForums discussion on this topic, Gigabyte has already posted a patch for its affected motherboards. See https://www.tenforums.com/windows-10-news/98600-flaws-found-intel-management-engine-me-txe-sps-2.html" rel="nofollow - https://www.tenforums.com/windows-10-news/98600-flaws-found-intel-management-engine-me-txe-sps-2.html , thread #13 for a claim to this effect. I've been checking App Shop periodically since this came up and have seen nothing yet. Just checked the BIOS info for my affected motherboards, too, and haven't seen anything there yet, either. HTH, --Ed-- ------------- Ed Tittel 2443 Arbor Drive Round Rock, TX 78681 phn: 512-252-7497 mbl: 512-422-7943 www.edtittel.com |
Posted By: soulstealer
Date Posted: 23 Nov 2017 at 11:16pm
im not sure but it could be that drivers and firmware upgrades from different brands and products are even compatible / changeable with each other, for example Intel Z370, x299, Z87, Z97, Z170, Z270, Z270, H170, B250, B150 ... (Serie 8/9/100/200/300 Series). i know that at least for the drivers this is the case. then there are two different versions of firmware for each chipset series, corporate (MEI / AMT) (5mb) and consumer (MEI) (1.5mb). then for example for the 100-series consumer there is Firmware 1.5Mo (LP) (Intel 100-series Consumer LP Skylake-Y-U and Skylake (Mobile)) and Firmware 1.5Mo (SH) (Intel 100-series Consumer Skylake-S-H and Skylake). and this goes on for the other chipsets, too. so they have the same driver and different firmwares, but probably a corporate could be flashed onto a consumer board and drivers be used as well. i tried it by myself once if i remember right but i advise strongly against it and im not recommending it. note: just found out samsung and asrock use the same intel flash utility / routine, its probably the same for other vendors.
|
Posted By: flashback8
Date Posted: 24 Nov 2017 at 1:27am
|
" rel="nofollow - Hello. FYI, the Intel ME update seems to break playback of Ultra HD Blu-Ray discs. I own the Fatal1ty Z370 Gaming-ITX/ac board, which is one of the few out there that can handle all the ridiculous requirements for playing UHD discs. Among other things, the Intel ME drivers are a critical part of the puzzle since they enable SGX support, which UHD discs require. Anyway, everything was fine until I installed the updated ME drivers. Now, Cyberlink's software tells me that HDCP 2.2 (a handshake protocol over HDMI) is no longer available. I figured that I might be able to get it working again if I reinstalled Intel's graphics drivers and restarted the PC. Nope. Same issue. I need to double check the UEFI settings but I'm 99% sure nothing changed. Has anybody else had this problem? Any workarounds? I'll keep tinkering and will report back if anything changes. Thank you. |
Posted By: soulstealer
Date Posted: 24 Nov 2017 at 1:31am
ill probably update firmware and drivers in an hour or so. where did you get your drivers and firmware update from? i want to add that intel recommends a certain uninstall routine, but for mainstream users it should not be important. you can still check here. https://www.intel.com/content/dam/support/us/en/documents/technologies/intel-active-management-technology-intel-amt/Firmware_Deployment_Process-Rev1.0.pdf use the sa-00075 command line tool from the installation for the following: sa-00075: ********* note: ***** The procedural steps for implementing the mitigation are as follows: 1. Unprovision the Intel manageability SKU system. This is necessary to mitigate the network privilege escalation vulnerability and remove any configuration changes an unprivileged attacker could have made prior to mitigation. 2. Update the impacted systems with firmware obtained from your OEM that addresses this issue. 3. Re-provision Intel manageability SKU with your existing manageability / configuration console. important: run from windows cmd-console with administrator privileges 1. download detection and mitigation tool and install it (run to check vulnerability) https://downloadcenter.intel.com/download/26755/INTEL-SA-00075-Detection-and-Mitigation-Tool 2. unprovision (run from installation folder of sa-00075 tool) Intel-SA-00075-console.exe -Unprovision 3. disable lms Intel-SA-00075-console.exe -DisableLMS |
Posted By: Montoya
Date Posted: 24 Nov 2017 at 4:00am
" rel="nofollow -
Replace the words "mother board" with "Car"..... If there are security issues with a part from my car, that is manufactured by a parts supplier of my car manufacturer, then my car manufacturer is responsible for fixing this issue for the endconsumer by doing a recall for all those cars affected..... So Asrock must take action in my opinion, providing a solution/guide eventually to their endconsumers with affected products.
------------- Fatal1ty Z170 Gaming-ITX/ac, Intel i5-6500, Kingston HyperX Fury 16GB, Samsung 950 Pro 512GB, Fractal Design Core 500, Win10 Pro X64 |
Posted By: soulstealer
Date Posted: 24 Nov 2017 at 4:08am
|
" rel="nofollow - just flashed it. C:\Users\xxx\Downloads\ME-corporate_11.8.50.3425\ME-corporate_11.8.50.3425\Windows64>FWUpdLcl64 -f FW.bin Intel (R) Firmware Update Utility Version: 11.8.50.3425 Copyright (C) 2007 - 2017, Intel Corporation. All rights reserved. Communication Mode: MEI Checking firmware parameters... Warning: Do not exit the process or power off the machine before the firmware update process ends. Sending the update image to FW for verification: [ COMPLETE ] FW Update: [ 100% (-)]Do not Interrupt FW Update is completed successfully. rebooting and hoping to see you again. note: rebooted and installed latest ime/atm drivers and everything went butter smooth. will test tools again. tools show not vulnerable anymore, system runs perfectly. mission accomplished. id say it is safe to use, but you are on your own risk. if you notice i have chosen to flash the corporate image and use corporate drivers on a consumer board, but i did that to just in case have everything updated there is and show how cool asrock is (and me). these are the files i used with windows 10, i7 7700k and asrock h170 fataliy performance (default edition, not d3, not hyper): http://asrock.pc.cdn.bitgravity.com/TSD/ME-corporate_11.8.50.3425.zip (this is from asrock support, and so its official) http://www.station-drivers.com/index.php?option=com_remository&Itemid=352&func=startdown&id=3195&lang=en (is rather not official, but contains an intel license, station-drivers is deemed legit and ive used it myself)
|
Posted By: OFelix
Date Posted: 24 Nov 2017 at 4:38am
|
Hi ASRock, please release a statement and when a fix is available please host it on your own servers. Thanks
|
Posted By: Zjenep
Date Posted: 24 Nov 2017 at 4:20pm
|
Official statement from ASRock: https://www.asrock.com/microsite/2017IntelFirmware/" rel="nofollow - https://www.asrock.com/microsite/2017IntelFirmware/ |
Posted By: Arukado_
Date Posted: 24 Nov 2017 at 4:59pm
So I think that Asrock is not taking this case seriously. JZ admit that you have something to do with this site. For example:
My english is poor but this is just hilarious and I'm quite sure that nobody from Asrock wrote that. Next thing is image resolution ffs. Really 13KB and 470x270??? And photos of dos flash tool taken with cell phone i think under strange angle ;) And finally links to ME1 and ME2 packages still hosted on non Asrock domain which in my opinion anybody can replace with some malicious software. ME1 link http://asrock.pc.cdn.bitgravity.com/TSD/ME-consumer_11.8.50.3425.zip ME2 link http://asrock.pc.cdn.bitgravity.com/TSD/ME-corporate_11.8.50.3425.zip Is it so god damn hard for Asrock officials to made a proper solution and host it on their own servers? Is it to much responsibility? Really looking on how this whole thing is spinning I'm quite sure that with that kind of customer service I'll never buy Asrock product again. Maybe that's only my opinion but seriously I'm working in It industry for over twelve years by now and I'm not seeing that kind of stopgap often. Ps. Zjenep you joined this forum 33 minutes ago how did you get this link? There's no information on Asrock main page not in news section not i technical support? Google says nothing about that either. |
Posted By: Zjenep
Date Posted: 24 Nov 2017 at 5:19pm
|
I happen to have an ASRock motherboard which is affect by the Intel bug as well. I was in contact with ASRock support already and they sent me the link. I just wanted to share it with the rest of you, so I just registered on the forum. The links look legit to me. The use the same content delivery network from Bitgravity to offer drivers and such. Have a look at the download options for Asia and US: http://https://www.asrock.com/mb/Intel/Z170M%20Extreme4/%3Fcat=Download&os=Win1064" rel="nofollow - https://www.asrock.com/mb/Intel/Z170M%20Extreme4/%3Fcat=Download&os=Win1064 I agree with Arukado, picture quality could be better :) |
Posted By: Arukado_
Date Posted: 24 Nov 2017 at 5:32pm
" rel="nofollow -
So you have Z170M Extreme4 right? Same mobo as mine. Did you flash it already? Can you paste us the whole email from asrock? For the bitgravity you're actually right. I've never used Asia or USA links cos I'm from Europe so I didn't noticed that they hosting it on external servers. Right now I'm just curious since it looks like they have a patch already so they have to be aware of the problem why ffs nobody from Asrock came here and told us anything. Why there's no info in news or technical section? Why it looks like something that was written on the knee in a rush. Why they not paste it in mobos download section? Asus did that a while ago. Many questions and zero answers so imho communication is very very bad. |
Posted By: Montoya
Date Posted: 24 Nov 2017 at 9:18pm
|
Looks very unprofessional and suspicious what Asrock has come up with for their customers with affected products, providing a link that is nowhere referenced on main page, news page or support pages.... Looks like Asus is the only one my shopping list, for replacing my old Z170 mainboard, because they prove right now, to handle security issues professionally, like it always should be !!!
------------- Fatal1ty Z170 Gaming-ITX/ac, Intel i5-6500, Kingston HyperX Fury 16GB, Samsung 950 Pro 512GB, Fractal Design Core 500, Win10 Pro X64 |
Posted By: lex23
Date Posted: 25 Nov 2017 at 12:17am
|
" rel="nofollow - Can someone help me please? I use a ASRock Z170 Extreme4 and installed the ME-consumer_11.8.50.3425 update. Now my PC doesn't completely shut down anymore. Monitor turns off, but the computer/fans keep going. Help please! |
Posted By: SDeath
Date Posted: 25 Nov 2017 at 12:24am
|
" rel="nofollow - I tried to install the update on my Fatal1ty X299 Professional Gaming i9 but I get a SKU mismatch? The Intel tool showed me I was volnurable so I'd like to be patched. PS I downloaded the ME1 package. |
Posted By: flashback8
Date Posted: 25 Nov 2017 at 1:51am
Hi. I got the files from the BigGravity link posted here. I didn't download until it had been confirmed that the files were legit. In any event, are you saying that you're able to confirm whether or not HDCP 2.2 handshakes can still occur? If so, that'd be great! I'd like to find out if this is a consistent issue or if I'm just unlucky.
Okay. I missed that. I went back and tried to do it. I wasn't allowed to do any of that. Not sure if it's because I had already installed the update, or didn't have a password for unprovisioning, or what. Oh well. |
Posted By: partofthething
Date Posted: 25 Nov 2017 at 8:35am
|
I'm happy ASRock posted the links to the fixes on http://https://www.asrock.com/microsite/2017IntelFirmware/" rel="nofollow - their page. However, I'm a bit distraught that the files are hosted over HTTP instead of HTTPS. Downloads like this really should use TLS to prevent people between the server and the customers from injecting malicious firmware into people's machines. Meanwhile, those of you who downloaded the files, what SHA1/SHA256 hash did they have? With sha1sum and sha256sum commands, I get: c5cd9811598492541ff5da850027e698f01afa67 ME-consumer_11.8.50.3425.zip 366ddc9ee99e1641bee6a19554cac3c5ad4f15df8c7bdee63558f22aebe0e19c ME-consumer_11.8.50.3425.zip Can anyone confirm? Thanks. |
Posted By: parsec
Date Posted: 25 Nov 2017 at 12:38pm
Thank you for mentioning the "Car" example, it is exactly the same situation as the Intel IME issue. Coincidentally, I just received a paper mail from TK Holdings, a company related to the Takata corporation. Takata is the manufacture of the air bags/air bag inflaters safety system in automobiles that have had problems for the past several years. The mail requested that I check if the cars I own are affected, and to schedule a replacement with the car dealership if necessary. Yes, they are still doing this years after the problem was first discovered, I was surprised. Takata makes the air bags, the automobile manufactures use them in their vehicles. The automobile manufactures cannot legally fix the airbags themselves, even if they could. They can only use what is provided to them by Takata. Then they will provide the new airbags to their vehicle owners. Intel makes the IME hardware, firmware, and software. Mother board manufactures cannot fix any of those things themselves legally, even if they had access to the IME hardware designs, and the firmware and software programs, which they don't. They can only use what is provided to them by Intel. Then they will provide the new IME firmware, etc, to the mother board owners. I never said a mother board manufacture will not provide the IME firmware fix from Intel when it is available. I said the mother board manufactures are not responsible for the IME problem itself. They also cannot fix the problem with the IME firmware. They can and will provide the fix for the IME problem when it is given to them by Intel. That is all they can do, and is exactly what they are doing. We are confusing what the word "provide" means in this situation. Yes, the UEFI/BIOS updates with the IME firmware fix is being provided by mother board manufactures. The IME firmware is one part of the UEFI/BIOS file, and is given to mother board manufactures by Intel. The IME firmware has been updated (for other reasons) several times in the past for many different models of Intel chipset mother boards. Hopefully this fix will be enough, if it isn't then Intel will need to provide another version to the mother board manufactures. The one and only source of the IME firmware is Intel. The one and only point of my first post about this, is I am frustrated that some mother board users seem to be angry with the mother board manufactures, when they are not responsible for the design and creation of the IME hardware and software, and the problem found with it. If someone is upset and worried about this problem, the best source of information about it is Intel. Mother board manufactures cannot legally speak for Intel, and are bound by Non-Disclosure Agreements (NDAs). Only Intel can fix this issue. Mother board manufactures can only pass on to us what they are given by Intel. Mother board manufactures are simply the "middle man" in this situation. Being upset with mother board manufactures for causing this problem does not make sense, since they did not cause it. Yes we could be upset with mother board manufactures if they did not pass on to us the fixed IME firmware, but that is NOT what is happening. This is the official response page from Intel about this issue: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr Here is the official response from ASRock, and instructions and downloads for the fix: https://www.asrock.com/microsite/2017IntelFirmware/" rel="nofollow - https://www.asrock.com/microsite/2017IntelFirmware/ This update is NOT a UEFI/BIOS update, but updates the IME firmware ONLY. PLEASE read the instruction carefully. There are two methods, Windows and DOS bootable. ONLY the boards in the list on the page MUST use the ME2 download version. All the 'Z' 100, 200, and 300 series chipset boards MUST use the ME1 download version. ------------- http://valid.x86.fr/48rujh" rel="nofollow">
|
Posted By: Montoya
Date Posted: 25 Nov 2017 at 5:15pm
|
Thanks for the reply Parsec and don't get me wrong, because I completely understand that Asrock is not responsible for the security issue, but they are responsible for examining what they can do in COLLABORATION with Intel for the users of affected products and provide an easy to use guide. I criticize Asrock only with the fact that the guide they provide, that the pictures that are provided with it, are not readable and that no references are on the main/news/support website, informing users where to find this guide to check if they are affected and how to fix this Intel security issue. That's not professional and gives most users the impression, that Asrock doesn't take all this seriously. Why don't they post a message on the download support web page of every affected mainboard, so that users are directed and informed about the Intel security issue, instead of a USER post on this forum where still no official response is to be found.... Because the mainboard support pages, that is where most affected users first look for information/fix, because for example, for my mainboard, Asrock has provided ME updates before into their bios update files. ------------- Fatal1ty Z170 Gaming-ITX/ac, Intel i5-6500, Kingston HyperX Fury 16GB, Samsung 950 Pro 512GB, Fractal Design Core 500, Win10 Pro X64 |
Posted By: rico
Date Posted: 25 Nov 2017 at 8:18pm
Crap, add me to this list but with Fatal1ty Z170 Gaming K6+ w/i7-6700K. I checked the BIOS and the new 11.8.50.3425 is listed under Advanced\Chipset Configuration page but under Win10 there's doesn't appear to be any drivers for the ME hardware. Maybe that's what's causing the problem? The Intel-SA-00086 Detection Tool now just reports "Detection Error: This system may be vulnerable, please install the Intel(R) MEI/TXEI driver (available from your system manufacturer). Intel(R) ME InformationEngine: Intel(R) Management EngineVersion: Unknown SVN: 0" Something is keeping my PC awake when shutting down and it started exactly after installing this new ME firmware. Windows Event Viewer extract of Descriptions: 1. 11:40:02 The process C:\Windows\System32\RuntimeBroker.exe has initiated the power off of computer Reason Code: 0x0 Shut-down Type: power off 2. 11:40:06 The system is entering sleep. 3. 11:40:06 The browser has forced an election on network \Device\NetBT_Tcpip_{99779397-8814-49CE-952C-50ADDE3A2389} because a master browser was stopped. 4. 11:40:07 The system has resumed from sleep. At this point the monitor goes off and the PC's fans remain powered up. Hitting keys does not wake the system up. Upon manually pulling the power and booting back up again I see this in Event Viewer (System) 11:42:49 The firmware reported boot metrics. 11:42:49 There are 0x1 boot options on this system. 11:42:49 The bootmgr spent 0 ms waiting for user input. 11:42:49 The boot menu policy was 0x1. 11:42:49 The boot type was 0x1. 11:42:51 The system has returned from a low power state. Sleep Time: ??017????1????5T11:40:06.071483900Z Wake Time: ??017????1????5T11:42:49.209396700Z Wake Source: Unknown |
Posted By: Montoya
Date Posted: 26 Nov 2017 at 12:30am
|
" rel="nofollow - Did you had the ME driver package from Asrock installed ? On my system it was installed and I could succesfully install the security patched firmware ME1 as described by Parsec and on the Asrock info page https://www.asrock.com/microsite/2017IntelFirmware/ ------------- Fatal1ty Z170 Gaming-ITX/ac, Intel i5-6500, Kingston HyperX Fury 16GB, Samsung 950 Pro 512GB, Fractal Design Core 500, Win10 Pro X64 |
Posted By: Atma
Date Posted: 26 Nov 2017 at 1:11am
|
" rel="nofollow - I can't update the Intel ME. I have an ASRock X299 Taichi Motherboard and according to the special ME Update Page from ASRock I have to use the ME1 Package. But when I'm running the BAT File for Windows64 I get the following error: Error 8704: Firmware update operation not initiated due to a SKU mismatch Can anybody tell me what's the problem here?
|
Posted By: rico
Date Posted: 26 Nov 2017 at 1:15am
I DID successfully install the ME firmware patch - It's the rest of the system now is the problem because of [now] missing ME drivers. |
Posted By: chilidog23
Date Posted: 26 Nov 2017 at 9:44am
Can confirm my download has the same sha256 hash. But yeah asrock come on, https all the things and put some digital signatures on there, pgp is not that hard to use.
|
Posted By: OrpheusXx
Date Posted: 26 Nov 2017 at 5:29pm
|
I have Edit: so no it did not install, but created an error.txt in the folder saying: " Error 8771: Invalid File. " |
Posted By: Montoya
Date Posted: 26 Nov 2017 at 7:24pm
That was not my question, I was refering to the Intel Management Engine driver, that is on your download page of your mainboard. http://www.asrock.com/mb/Intel/Fatal1ty%20Z170%20Gaming%20K6+/index.us.asp#Download" rel="nofollow - http://www.asrock.com/mb/Intel/Fatal1ty%20Z170%20Gaming%20K6+/index.us.asp#Download ------------- Fatal1ty Z170 Gaming-ITX/ac, Intel i5-6500, Kingston HyperX Fury 16GB, Samsung 950 Pro 512GB, Fractal Design Core 500, Win10 Pro X64 |
Posted By: rico
Date Posted: 26 Nov 2017 at 9:37pm
If only is were that simple. Those drivers won't install any more (there were installed before) and now running EITHER the Windows FW updater FWUpdLcl64.exe OR the DOS version FWUpdLcl.exe returns an error: Error 8743: Unknown or Unsupported Platform Cannot locate hardware platform identification This program cannot be run on the current platform. That error is from the same tool that updated the ME firmware in the first place!. Intel Management Engine was greyed out in Device Manager after updating so I removed it but that didn't help either. I think I might need a new BIOS release to match this ME update. |
Posted By: rico
Date Posted: 26 Nov 2017 at 11:59pm
|
All back up and running again after re-flashing my BIOS (latest for my board v7.20 over v7.20) from DOS. lex23, I suggest you do the same as you and I had the same issue with PC not powering off on shutdown after this ME patch. One of the stages of flashing my BIOS was ME firmware installation so that put mine back to 11.6.0.1126 which is vulnerable ("This system is vulnerable" according to INTEL-SA-00086 Detection Tool) but is, more importantly, functional. I'll wait for ASRock to post something official for my board, Fatal1ty Z170 Gaming K6+ w/i7-6700K. |
Posted By: daddyo
Date Posted: 28 Nov 2017 at 3:02am
" rel="nofollow -
I'm waiting a bit longer to cast my vote on this as well. Security is not to be taken lightly. The use of official servers for patches and communication is a cornerstone principle. And by the way, I don't see anyone getting "angry" at Asrock on this thread. My posts are out of concern with this issue and with constructive intent. People chiming in in their own way are justified to do so when Asrock hasn't issued a clear response yet. Most people are ok with waiting for a patch as long as they know it's coming. It is easy to interpret Asrock's silence + published patches for 300 series motherboards as ignoring the older models that are affected. So, hence the concern. A simple notice on the website saying that further fixes are underway would suffice. While it appears there is a microsite addressing the issue, I only found it by following this forum thread, and not on Asrock's main support page. Perhaps the communications should be a bit more streamlined? Again, this raises the valid concern that someone out there could create a fake patching site to further exploit the situation. I'm only trying to provide constructive criticism here.
|
Posted By: daddyo
Date Posted: 28 Nov 2017 at 3:54am
This link is dead. Can't reach it? https://www.asrock.com/microsite/2017IntelFirmware/
|
Posted By: rico
Date Posted: 28 Nov 2017 at 4:42am
Link is not dead - I can see it fine: ctrl-c, ctrl-v
Advisory note: Intel Q3'17 ME 11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update
Reference: Intel security vulnerabilities ( https://security-center.intel.com/advisory.aspx%3cintelid=INTEL-SA-00086&languageid=en-fr" rel="nofollow - INTEL-SA-00086 )
In response to issues identified by external
researchers, Intel has performed an in-depth comprehensive security
review of its Intel® Management Engine (ME), Intel® Trusted Execution Engine (TXE), and Intel® Server Platform Services (SPS) with the objective of enhancing firmware resilience.
As a result, Intel has identified several security vulnerabilities that could potentially place impacted platforms at risk. Systems using ME Firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are impacted. ASRock and Intel highly recommend that all customers install updated firmware and Intel® Capability License Service on impacted platforms. For more detailed information please refer to the Intel web site: https://security-center.intel.com/" rel="nofollow - https://security-center.intel.com/ Affected ASRock Products:
Intel 100, 200, 300
http://asrock.pc.cdn.bitgravity.com/TSD/ME-consumer_11.8.50.3425.zip" rel="nofollow - ME1 http://asrock.pc.cdn.bitgravity.com/TSD/ME-corporate_11.8.50.3425.zip" rel="nofollow - ME2 If your model Intel 100/200/300 series but not in the following list, please download ME1 package If your model is Q170 series or in the following list, please download ME2 package
|
Posted By: rico
Date Posted: 29 Nov 2017 at 5:12am
|
After my earlier woes with this patch I raised the issue with ASRock Technical Support. They suggested clearing my CMOS as a remedy but seeing as I'd already sorted myself out by re-flashing my BIOS I decided to try again this evening. This time I used the DOS flasher on a bootable USB drive and all worked perfectly - no CMOS clearing required. tldr: Windows flasher bad. DOS flasher good. |
Posted By: romf
Date Posted: 29 Nov 2017 at 10:04am
|
Bad luck for me, i just tried the USB bootable disk flashing method but with no success. I got this message : (IME driver version 11.6.0.1026 already installed on my pc) ERROR 8705 : Firmware update not initiated due to version mismatch.. Oh well, i will try the windows method another time maybe, i don't feel like flashing my BIOS, reset the CMOS right now..
 |
Posted By: flashback8
Date Posted: 30 Nov 2017 at 5:22am
|
Hi everyone. I still haven't been able to resolve my HDCP 2.2 issue. As expected, nobody's really telling me anything useful. For now, if playback of Ultra HD discs is important, please don't apply ASRock's patch until this gets sorted out. That said, would somebody with the Z370 Gaming-ITX/ac board be able to do me a big favor? If you haven't updated the ME firmware yet, could you download and run the MEInfo tool ( https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html" rel="nofollow - https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html ) and post the results here? For an apples-to-apples comparison, you'll need to have the 11.7.4.3314 drivers installed from ASRock's support page for the board (https://www.asrock.com/MB/Intel/Fatal1ty%20Z370%20Gaming-ITXac/index.us.asp#Download), you'll also need to have SGX enabled ("Enabled," not "Software Controlled" or whatever) in the UEFI, and it'd help to have the 1.11 UEFI installed. For reference, I've pasted below my results after the patch has been applied. Thanks. ------------ Intel(R) MEInfo Version: 11.6.25.1229 Copyright(C) 2005 - 2017, Intel Corporation. All rights reserved.
Intel(R) ME code versions:
BIOS Version L1.11 MEBx Version 0.0.0.0000 GbE Version 0.2 Vendor ID 8086 PCH Version 0 FW Version 11.8.50.3425 H LMS Version 11.7.0.1037 MEI Driver Version 11.7.0.1032 Wireless Hardware Version 2.1.77 Wireless Driver Version 20.10.2.2
FW Capabilities 0x31101140
Intel(R) Capability Licensing Service - PRESENT/ENABLED Protect Audio Video Path - PRESENT/ENABLED Intel(R) Dynamic Application Loader - PRESENT/ENABLED Intel(R) Platform Trust Technology - PRESENT/DISABLED
TLS Disabled Last ME reset reason Firmware reset Local FWUpdate Enabled BIOS Config Lock Enabled GbE Config Lock Enabled Host Read Access to ME Enabled Host Write Access to ME Disabled Host Read Access to EC Disabled Host Write Access to EC Disabled SPI Flash ID 1 C22018 SPI Flash ID 2 Unknown BIOS boot State Post Boot OEM ID 00000000-0000-0000-0000-000000000000 Capability Licensing Service Enabled OEM Tag 0x00000000 Slot 1 Board Manufacturer 0x00000000 Slot 2 System Assembler 0x00000000 Slot 3 Reserved 0x00000000 M3 Autotest Disabled C-link Status Disabled Independent Firmware Recovery Disabled EPID Group ID 0xFFB LSPCON Ports None 5K Ports None OEM Public Key Hash FPF 0000000000000000000000000000000000000000000000000000000000000000 OEM Public Key Hash ME 0000000000000000000000000000000000000000000000000000000000000000 ACM SVN FPF 0x0 KM SVN FPF 0x0 BSMM SVN FPF &nbs |
Posted By: rico
Date Posted: 30 Nov 2017 at 6:45am
|
Can't help you there as I've a Z170 board but if you're up for a minor adventure I'd suggest you try the latest ME drivers from here: https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html" rel="nofollow - https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html The so-called "11.7.4.3314 drivers" you mention are actually v11.7.0.1032. You can see it yourself in mup.xml in the ME(v11.7.4.3314_SW).zip archive: <driverversion>11.7.0.1032</driverversion> I have a Z170 board and successfully installed v11.7.0.1045 which is actually called "Intel MEI Driver v11.7.0.1050 MEI-Only Installer" in the link above. Maybe a driver update will sort you out? |
Posted By: flashback8
Date Posted: 30 Nov 2017 at 2:21pm
Can't do it. Intel won't let you downgrade ME firmware. ("Error 8805" and then something about the SVN (Security Version Number) preventing it.) |
Posted By: rico
Date Posted: 30 Nov 2017 at 3:59pm
|
Driver, not firmware. v11.7.0.1045 is the version of the "Intel Management Engine Interface" I have installed in Device Manager - System devices. |
Posted By: flashback8
Date Posted: 01 Dec 2017 at 3:24am
Thanks for the suggestion. Didn't help. |
Posted By: rico
Date Posted: 05 Dec 2017 at 7:10pm
Looks like today's your lucky day, flashback8. https://www.asrock.com/MB/Intel/Fatal1ty%20Z370%20Gaming-ITXac/index.asp#BIOS" rel="nofollow - https://www.asrock.com/MB/Intel/Fatal1ty%20Z370%20Gaming-ITXac/index.asp#BIOS https://www.asrock.com/support/BIOSIG.asp%3ccat=BIOS8" rel="nofollow - 1.Update Intel ME 11.8.50.3425. 2.Update Microcode 3.Enhance CPU performance. 4.Enable Intel SGX |
Posted By: flashback8
Date Posted: 06 Dec 2017 at 1:58am
|
Hello. As a fair warning to all out there, if your board is a Gaming-ITX/ac board (Z170, Z270, or Z370), you should consider not flashing the ME firmware that was mentioned by ASRock tech support. Long story short, if you care about anything that uses HDCP 2.2 (just Ultra HD Blu-Rays and possibly 4K Netflix for now), there's something generic about the firmware that breaks HDCP 2.2. ASRock just posted v1.40 of my board's BIOS (Z370), which updates the ME firmware and possibly reflashes the LSPCON (MegaChips MDCP2800) firmware. Finally, HDCP 2.2 functionality was restored on my system. https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools-239.html#msg44623" rel="nofollow - This post points to some potential info if you're curious about what might be happening deep in the motherboard. Good luck!
Indeed it is! :) That said, please note that SGX was never the problem (AFAIK). It was something far deeper. The Cyberlink advisor never complained about SGX. I'm assuming that ASRock made some sort of change in the BIOS that made SGX detection and such a bit smarter. It could be that the "Auto" SGX enabling now works instead of having to keep it turned on all the time ("Enabled"). I'll play with it and see what comes up. |
Posted By: rico
Date Posted: 06 Dec 2017 at 5:05am
Maybe your issue only applies to 300 series but not 100 & 200? ASRock have changed the wording of the ME patch download page to be no longer applicable to 300 series motherboards: https://www.asrock.com/microsite/2017IntelFirmware/" rel="nofollow - https://www.asrock.com/microsite/2017IntelFirmware/ Before:
Now:
|
Posted By: flashback8
Date Posted: 06 Dec 2017 at 5:28am
Interesting. That definitely wasn't present yesterday. (I happened to look.) I suppose the only way to find out would be if somebody with a functioning 4K setup and a Z170 or Z270 Gaming-ITX/ac board took one for the team and upgraded. I think I might know somebody who can check. Come to think of it, I think he was upgrading his ME firmware willy nilly (11.6 -> 11.7) and HDCP 2.2 never broke. Strange, but who knows, maybe the Z370s do have something specific in the background. |
Posted By: arturk
Date Posted: 19 Dec 2017 at 6:30pm
|
" rel="nofollow - Unfortunately I can confirm that on Z270 Gaming-ITX/ac after ME update HDCP 2.2 is not working anymore. Before update everything was OK... For me this is very problematic since Netflix in 4K and BR UHD support is very important part of my setup. I've tried newest Intel Graphic drivers (15.60.01.4877), different versions of ME software - no luck... Does anybody found fix for HDCP support? Motherboards with Z370 receiverd Bios update fixing this issue, but for Z270 there is nothing... |
Posted By: flashback8
Date Posted: 21 Dec 2017 at 3:50pm
Oh no! I'd recommend calling ASRock tech support. Don't rely on this forum. Call ASRock directly. While the tech support guy never actually got back to me as he promised (not necessary since the BIOS update fixed everything), he did say he knew what to do to fix it, and would send me a link to the appropriate software. Also, just FYI, the update I applied for my Z370 board was a specific BIOS posted under the board's support page. It looks like there isn't one for the Z270 yet. Definitely point this out to ASRock when you call.
|
Posted By: arturk
Date Posted: 21 Dec 2017 at 7:05pm
| I've made contact with Asrock support. Hope they will realize that with Z270 itx there is same problem as with Z370 before BIOS update... |
Posted By: flashback8
Date Posted: 22 Dec 2017 at 4:47am
The interesting thing is that I've been in touch with a guy who has a Z170 board. He doesn't have HDR on his setup but he has updated ME and the LSPCON chip firmware willy-nilly in the hopes of enabling HDR. Apparently, HDCP 2.2 has worked fine the entire time. Makes me think that ASRock added something starting with Z270 that can only be kept in place with a BIOS update. If so, that's really unfortunate if more problems come up down the road after Z370 support is dropped. |
Posted By: dlee
Date Posted: 22 Dec 2017 at 4:49am
|
I updated my Z270M Pro4 with the MEI firmware. After updating, the Intel vulnerability check tool says the board is no longer vulnerable, but also reports that the some sort of licensing services needs to be updated too. I don't use the board's HDMI output, but that is probably why HDCP isn't working after the MEI update. Some licensing firmware is now broken. |
Posted By: arturk
Date Posted: 22 Dec 2017 at 7:15am
|
" rel="nofollow - I received confirmation from support that HDCP should work after IME patch. This convinced me that propably there is something wrong with my setup. I decided to clear CMOS data and after that everything started to work... partially :-) Why partially? Well I discovered that when I have 1080ti plugged into slot and integrated graphic card is active (set as primary device) HDCP feature with Intel is not working anymore. I'm 100% sure that before applying IME patch HDCP was working OK, no matter which card I was using. Notice that only Intel's intergrated graphic card can provide required PAVP for playing BR UHD movies. Do the math and guess why I'm missing it :-) PS. Asrock EU support - thanks for help!
|