Critical Flaws in Computers Leave Millions of PCs Vulnerable

My Thinkpad is also already patched, thankfully; no wonder recent ME firmware update was marked as critical.

 

Nobody should put too much stock in the assessment tool from Intel. It is unreliable and can mis-report vulnerability on a properly patched system using the correct IME firmware and drivers. If you have the right firmware and drivers, ignore the information reported by Intel's buggy piece of crap "tool" (very fitting to call it a tool, LOL).

P870DM-G and ASUS desktop are both patched with official "safe" firmware and drivers designed specifically to fix the bug. Both show to be patched until shut down and cold boot, then the tool reports both machines are vulnerable in error.

See screen shots below demonstrating the flaw and unreliability in the Intel assesment tool.

Before Cold Boot:

After Cold Boot:

 

Yes, just exact the same happened with me. Do I need to repeat the process.

 

Ignore it. It's bogus. We have the correct firmware and drivers, but the tool is just unreliable. I know my surprised look is not on my face. Hardly anything is reliable in today's world. Errors and mis-reported information are status quo in almost everything. Technology is no exception.

 

I hope so.

 

If not, then we are all in the same boat. If the ME firmware and drivers that are patched for this specific purpose are still vulnerable there is no fix for anyone. Worrying about it will not fix the mis-reported information, or the bug if the patch and drivers are broken. There are plenty of other things in our world that I can think of that warrant worry more than this silly thing.

If I were a betting man, I would bet the bug is the crappy assessment tool and not the firmware and drivers.

 

I removed the driver from device manager and reinstall it again, and now telling me "This System is not vulnerable" ,, like you said It seems that Intel tool has issues.

 

Yes, I did this about 5 times each on the P870DM-G and my desktop with ASUS mobo. Both are identical. Both show patched and safe. Shut down. Cold boot. Both show vulnerable.

 

I'd go a bit further and not trust it either way, and block all known ports that could be used for this vulnerability, and other as yet not found bugged access.

This is the tip of the iceberg so to speak, and I would take this vulnerability as more a wake up call than something to simply "patch" once.

But, it is odd that patching it and testing before rebooting says "Ok", and after rebooting it says "Not Ok". Not cool.

We need external 3rd party test(s) for verification.

But, until then I wouldn't ignore Intel's test completely, if it still says your computer is vulnerable I'd assume it still is indeed vulnerable.

In other words don't trust the patch installer any more than the test. I'd report the patch / update behavior back to the vendor, watch for further fix updates, and keep blocking ports.

 

It is true that the drivers at first may fix it but a cold boot breaks the fix. What a joke this is all turning out to be.

 

Mine was working after a cold boot.

 

As I said before I flashed the updates, I'm not worried about it. I was not before and I am not now. I don't even install Micro$loth updates or use antivirus software. I also do not wear a helmet when riding my bike. It is not worth losing any sleep over it or worrying about it. I'm not blocking anything that is not already blocked in my modded hosts file and firewall. Que sera sera.

The right firmware and drivers are the right firmware and drivers. The assessment tool is inconsistent, or the patches are inconsistent. Would not be the first time something was broken and we don't know which one. In some ways it is comical. Watching Micro$loth and Intel playing grab-ass on security baloney is like watching a monkey trying to molest a football.

 

Sorry, Mr fox

 

Just another reason for me to stick to my Sandy/Ivy bridge Machines. Always hates ME. This could spur big influx in things like LibreBoot or Coreboot.

 

Sorry? About what?

 

just in a bad mood. chest pains, severe back swelling, marfan syndrome and scoliosis. And all this computer BS.
Don't worry about it. I"m also angry about that "hypothetical" GT73VR setting "Hybrid Power enabled/disabled" and "battery voltage 0-100", and i feel that if it actually exists, SOMEONE should know about it and how to activate it. All these people in the world and not one person knows how about it? I have extreme OCD so i can't just....forget about it.

i'm sorry.
Happy thanksgiving, Mr Fox and Prema!

 

If you have Intel ME Firmware 11.8 your safe however if you have 11.0 or 11.5 like I have your vulnerable. Intel ME driver version doest matter as that's not where the exploit is. Its in the firmware which is in the bios.

Sent from my SHIELD Tablet K1 using Tapatalk

 

Do we know what the changes are that remove the "NULL" login? I didn't see the change, but then again Intel doesn't share everything about what is running in ME and related processes outside our view and control.

Is Intel removing the web server and all the service access ports, or what do you want to bet Intel is simply "adding" a password (they can share), replacing the "NULL" password currently allowing access to anyone that can connect?

 

As far as I've read on some of these Security forums the password is redundant, so long as you have physical access to the USB ports you can access the ME JTAG functionality anyways.

 

There are Intel ME network access security issues, which is the subject of this thread and the current hoopla, then there is the Intel AMT / ME bug and patch from a few months ago, then there is the unfixed USB hack, and I am sure there will be more security holes along with more "fixes" coming for ME as long as ME and Intel exist.

Even the current fix fails, some are experiencing an ineffective "fix" with Intel's tool still reporting the CPU / System as Vulnerable after rebooting.

I assume Intel is actually exercising the vulnerability and not just checking for "version" numbers, so if Intel's tool's tests and says you are still vulnerable after patching, you are still vulnerable after patching.

It's best to just bulldozer all the Intel CPU based machines and move to AMD, ARM, or other CPU based systems, as the ME "hole" will never be completely patched, unless it's code is fully removed and the "feature" nullified completely.

Google has an effort to get rid of ME completely, but we'll see how that goes. There have already been a few projects to stub ME into ineffectiveness, use the magic NSA flip bit to exit starting the services during boot up, but Google is planning on getting rid of the OS loading completely.

Google Working To Remove MINIX-Based ME From Intel Platforms
by Leon Chan November 8, 2017 at 7:45 AM
http://www.tomshardware.com/news/google-removing-minix-management-engine-intel,35876.html

"Intel’s Management Engine (ME) technology is built into almost all modern Intel CPUs. At the Embedded Linux Conference, a Google engineer named Ronald Minnich revealedthat the ME is actually running its own entire MINIX OS and that Google is working on removing it. Due to MINIX’s presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world.

Intel’s ME technology is a hardware-level system within Intel CPUs that consists of closed-source firmware running on a dedicated microprocessor. There isn’t much public knowledge of the workings of the ME, especially in its current state. It’s not even clear where the hardware is physically located anymore. At its inception in 2006, the ME was reportedly located on the MCH (northbridge), but when that became integrated into the CPU beginning with Nehalem, ME was moved to the PCH (current-day “southbridge”).

Where the ME’s code is stored also isn’t clear. Intel has said that it, at least at one point, was loaded into system DDR RAM. The ME has access to many, if not all, of the platform’s integrated devices, such as Intel network controllers. It can also access the main system RAM (the DDR RAM) through DMA. Much has changed in Intel’s platform since some of this was reported, however, so the state of ME now isn’t well understood. Intel, of course, keeps many of the details veiled in secrecy for security purposes."

AMD really has picked a great time to come to market with competitive alternatives to all of Intel's CPU's, because all of Intel's CPU's need alternatives.

 

I'm with Mr. Fox on this.

As for AMD being here for us is just a false sense of security too - issues will crop up about those security measures too. We just don't know about them today...

 

I wonder when Intel by themselves, finally find out that their Intel-vulnerability detection tool is pure junk? What's being detected is a lottery. The ME lottery, LOOL

 

I'm sure they're aware and working on it as we speak...

 

EXACTLY. Just wait. This kind of "problem" is a hallmark trait of the industry now. Everyone that spends any amount of time on these forums should immediately recognize that. Especially so with the amount of drama that always surrounds it.

 

As far as platforms none are 100% safe. Intel though lately has gotten more than their fair share of 'Oooopsies'. I find it funny the fanboys were claiming just recently that you need to depend and purchase on Intel's reputation though.

 

MSI seems to have a manual firmware updater on their european FTP site for the ME.
http://msi-ftp.de:8080/main.html
in the test folder called ME118H.rar
Still, better to just update it with the manual instructions on win-raid forums.

 

As for purchasing Intel on reputation - it wasn't for the unknown (at the time) security side of things. Rather; it was (mostly) for the dependability, availability and compatibility side of things. But of course; that distinction may have been forgotten because posts get deleted needlessly around here.

 

It runs at a lower level than the OS.

 

It looks like the exposure potential could escalate on December 6th:

Black Hat Europe 2017 Dec 4-7, 2017 London United Kingdom
HOW TO HACK A TURNED-OFF COMPUTER, OR RUNNING UNSIGNED CODE IN INTEL MANAGEMENT ENGINE
Mark Ermolov | Security researcher, Positive Technologies
Maxim Goryachy | Security researcher, Positive Technologies
Location: ICC Capital Suite, Level 3, Room B
Date: Wednesday, December 6 | 3:30pm-4:30pm
Format: 50-Minute Briefings
Tracks: Platform Security, Hardware/Embedded
https://www.blackhat.com/eu-17/brie...unsigned-code-in-intel-management-engine-8668

"In our presentation, we will tell how we detected and exploited the vulnerability, and bypassed built-in protection mechanisms."

Worries over Intel’s Management Engine grow after new flaws found
https://nakedsecurity.sophos.com/20...-mangement-engine-grow-after-new-flaws-found/

"Officially, ME is there to make remote troubleshooting for support engineers easier, including – and this is not a misprint – when the PC is turned off but still plugged into the wall.

But ME’s ubiquity and startling capabilities matter to a growing body of critics worried about the security implications of running what, in effect, is an independent system-within-a-system – the Intel-inside-Intel if you like.

The latest salvo was September’s promise by Russian researchers Maxim Goryachy and Mark Ermolov of Positive Technologies to host a session at next month’s Black Hat Europe event during which they would demo an exploit capable of compromising ME to gain “god mode” control over a PC.

This week Intel put out an urgent security advisory confirming the issue, so it seems the pair weren’t simply talking up their presentation to get bums on seats.

Intel lists four ME vulnerabilities ( CVE-2017-5705, CVE-2017-5708, CVE-2017-5711, CVE-2017-5712), affecting a swathe of recent processors running ME Firmware v11.x onwards as well as Server Platform Services v4.0 and TXE v3.0.

Several vulnerable processors are listed – anyone running a computer or server based on a Core, Xeon, Atom, Celeron, or Pentium from the last two years can assume they are affected.

Intel has posted a utility to check for these bugs, but ME firmware fixes will need to come from each hardware maker, which is where things get messier.

For instance, a visit to Dell’s support pages lists fixes for its servers but also shows the words “to be determined” next to 100 or more of the PC systems the company supports.

Users looking for a quick fix shouldn’t hold their breath."

Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
http://blog.trendmicro.com/trendlab...7-5689-intel-management-engine-vulnerability/

"Given CVE-2017-5698’s impact, which can be compounded by the other flaws identified in Intel’s latest security advisory, users and system administrators are urged to update

and patch their MEs. Blocking or disabling the use of ports 16992-16995, which the vulnerability leverages, is also recommended."

INTEL AMT VULNERABILITY TRACKING PAGE
https://www.ssh.com/vulnerability/intel-amt/

"According to CERT VU#491375, AMT listens for remote commands on several known ports. Intel's documentation mentions that ports 16992 and 16993 allow web GUI interaction with

AMT. Other ports that may be used by AMT include 16994 and 16995, and 623, and 664"

Follow the recommendations for port blocking, should your vulnerable computer be exposed to direct internet (unfiltered) connectivity, as a laptop may through the day moving from network to network.

 

MSI Global English Forum > Motherboards > MSI Intel boards > Is MSI going to address the recent Intel ME vulnerability?
https://forum-en.msi.com/index.php?topic=295249.0

The search on MSI forum's isn't quotable, you'll need to run the search yourself once in their forum: Intel SA-00086

 

This thread has been cleaned to try and keep it on subject only, there are many other threads for the other subjects.

 

Darn it! I must have missed something. Thanks for cleaning it up before I had a chance to see what happened.

 

Uninstalling Intel MEH now...

 

Maybe I can use my DM-G to hack my desktop, or vice versa. Sounds like fun. Especially if I can do it while it while the hacked machine is turned off.

 

Updated Intel-SA-00086 Detection Tool Version: 1.0.0.135 (Latest) Date: 11/27/2017 @Mr. Fox @Phoenix @Dr. AMK @Ashtrix +++ all not mentioned here.

Will the new one above work better?

 

Its 20% faster in saying Your System is Vulnerable.
More like applying salt on fresh wounds.

 

It's the same for me still my system is vulnerable.

 

You tested directly after download?
I restarted and got This system is not vulnerable. I shut down, then fire up again and got same message. Try it.

 

Did Prema publish the firmware update?

 

driver update ain't gonna fix that. FW update is needed.

Please post a screenie.

 

It worked for me when I unzipped it and ran it on the desktop. Will test on the P870DM-G now. Thanks Brother @Papusan.

If it is still showing some systems are vulnerable, I would still question the accuracy of the Intel assessment tool. You can't have it both ways. It is either patched or not. I changed nothing since patching and the Intel tool cannot make up its mind. @Prema used the same ME firmware update on his Clevo and it always shows patched using the older tool.

---

And, the Clevo with exactly the same ME Firmware says vulnerable using the new tool, LOL. From this we can conclude it either is or isn't and it doesn't matter what the tool says. If you have the latest firmware, it's patched. Whether the patch needs to be patched is open for speculation, but the speculation won't change whether it is or is not vulnerable.

 

Intel® ME 11.8.50.3425 or higher have the vulnerabilities patched.

 

THIS!!↑↑↑

Both after reboot and shut down.

 

SVN 3 and above is the criteria. Check the docs included in vulnerability checking tool.

 

The trouble is the tool produces inconsistent results and it is misleading. When it shows vulnerable with the correct firmware, the SVN has changed from 3 to 0. This is most likely a bug in the driver producing inconsistent or misreported test results. The latest available ME drivers are older than the firmware. Will most likely show patched correctly using the tool after the next ME driver is released.

 

We all (both) know what JUNK-TRASH is coming from Intel's hands... Both their BLOAT/firmware and HARDWARE!!

 

Desktop still shows patched after reboot.

 

Same here. For the BGA-KILLER!!

Its....

 

Both machines showed vulnerable using the older tool, LOL.

I have some services that are disabled with the desktop that are still active on the Clevo. Let me try killing them and see if the tool suddenly changes its mind about whether or not it is vulnerable.