Intel ME vulnerability (BIOS Updates?!)

Hello,

Maybe most of you already read the recent article related to Intel ME vulnerability.

Does anyone know if Panasonic will update the BIOS of affected devices?

I tried to add a link to the article but it was rejected. You can search for "semiaccurate intel me vulnerability" to see it.

Regards!

 

not sure about bios updates from panny.
intel provides firmware updates for ME
http://mjg59.dreamwidth.org/48429.html
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

better yet: just disable AMT in bios

 

ME feels vulnerable today.

Does that count ?
Is there a firmware update for ME?

Will this prevent ME from getting the flu virus?

 

yepp, invented by mr, hoffmann at sandoz switzerland,
but they won't sell it anymore, as mr. leary used to have to much fun with it

 

AMT is disabled but still is vulnerable even if it is unconfigured and disabled.

Intel provides fw updates to OEMs but are OEMs going to fix all the products affected? I checked the links on Dell and Fujitsu and they already have a roadmap for ME firmware releases. Didn't see anything on Panasonic site.

 

care to elaborate on this one?
ports 16992, 16993 etc pp seem to be closed when AMT is disabled.

 

Remote access is not possible you are right but even with AMT disabled the vulnerability can still be triggered if someone has local access to the machine.

 

On linux systems I assume that blacklisting mei and mei_me modules would help.

 

sadly, nope, afaict

 

Shawn posted the link in another thread. Panasonic will provide updates this summer.

http://pc-dl.panasonic.co.jp/itn/info/osinfo20170512.html

 

updates can't be installed on my cf19mk6,
due to "Error 8719 Firmware update cannot be initiated because Local Firmware Update is disabled. "
aka "Bad news, you have a 'QM77 Express Chipset LPC Controller' so you have ME hardware on board and you can't control or disable it, continuing..."

anyone else experienced this error?
http://www.toughbooktalk.com/viewtopic.php?f=39&t=3301&p=28118#p28118

 

I keep meaning to experiment with the ME update, but real life keeps getting in the way.

 

<useless info>I have updated several servers and have not seen this error.</useless>

Nevertheless, I am interested in any developments.

 

I am able to flash panasonics ME.bin after upgrading bios to V06.00L12 and resetting bios-amt config ("unconfiguring ME").
Okay, the boring part works.

Now to the interesting part:
I am able to extract a FWUpdClc64.exe -SAVE dump.bin, but it doesn't contain flash descriptors according to me_cleaner and ifdtool.
I am not able to flash a me_cleaned ME.bin using FWUpdClc64.exe due to 7441 Invalid File error, even tough me_cleaner -c tells me that FTPR RSA signatures are valid.
Looking at output of "strings ME.bin" and "strings ME_cleaned.bin", I can see that the cleaned one misses names of Certifcate Authorities ... so I gues FWUpdClc64.exe performs additional signature checks.

user@random-deb8:~/meclean/corna.me_cleaner$ ./me_cleaner.py -c ../unzipme/ME.bin
ME/TXE image detected
Found FPT header at 0x10
Found 23 partition(s)
Found FTPR header: FTPR partition spans from 0x180000 to 0x24a000
ME/TXE firmware version 8.1.71.3608
Checking the FTPR RSA signature... VALID

user@random-deb8:~/meclean/corna.me_cleaner$ ./me_cleaner.py -c ../unzipme/ME_cleaned.bin
ME/TXE image detected
Found FPT header at 0x10
Found 1 partition(s)
Found FTPR header: FTPR partition spans from 0x180000 to 0x24a000
ME/TXE firmware version 8.1.71.3608
Checking the FTPR RSA signature... VALID

user@random-deb8:~/meclean/corna.me_cleaner$ ./me_cleaner.py -c ../unzipme/ME_dumped.bin
Unknown image

user@random-deb8:~/meclean/corna.me_cleaner$ du -sk ../unzipme/ME.bin ../unzipme/ME_cleaned.bin ../unzipme/ME_dumped.bin
7660 ../unzipme/ME.bin
7660 ../unzipme/ME_cleaned.bin
3844 ../unzipme/ME_dumped.bin

 

hmmm ...
i updated one of my TBs a couple of days ago and got an ME error .
i rebooted and all was good .
this is the first time this has happened over maaany TBs .

 

hmm, i seem to have stumbled upon a race condition for the second fwupdlcl verification step, the chip-based one.
this allowed me to use the internal programmer to corrupt the write protected ME regions.

i am just not really sure yet what exactly happened, or how generic its usage is ... but it seems to solve my issue

https://github.com/corna/me_cleaner/issues/64

the files that i used
https://filebin.ca/3ZoqtxiQEx5m/ME.bin
https://filebin.ca/3ZorKoSiEbI2/MEREG-muchdisable.bin

 

Hello Karl,

Be careful not to break the ME completely since I read that if it is not working it will shutdown the machine in 30 minutes. I recommend to make a full dump of the chip with a programmer so you can have a backup.

For a normal flash update with Panasonic file you need a full working ME, that means BIOS should report the correct version and OS should detect the ME interfaces and also have the drivers installed.

I saw some Toughbooks with BIOS reporting ME N/A and there are strange things happening, like power on boot will not detect network card but a reboot (not poweroff/poweron) will detect it after that. Once laptop is powered off and on again the network card is again not detected.

If you want to use me_cleaner from what I know is that you need a BIOS bump with programmer and not a save backup from ME tools. ME tools under OS can only read partial stuff not the full region.

Hello Shawn,

This is your machine with ME version N/A? When you start it does it take longer to see the Panasonic logo on the screen than the same machine but with correct ME version? If you boot Linux starting from poweron not reboot do you see the LAN card ready and working?

 

hi tomcatsniper. you are correct.

except for the little fun fact, that I seem to have found a racecondition in ME Local FW Update feature, which allowed me to update a me_cleaned ME.bin directly using fwupdlcl by hijacking a oem ME.bin update session. see github link for details.

 

It does not have a Panasonic logo..It has a custom logo.
I never timed it. I saw no reason to. Why is boot time a concern?
Same machine never had ME so I can't compare it to anything anyway.
No I am NOT flashing ME on it just to see.

Do you mean LAN or WLAN? I don't use LAN so I disable it in BIOS.
What does Linux have to do with this?.....confused..

BTW flashing my bios file onto your mk6 with software WILL NOT WORK.
The chip MUST be removed and flashed with a hardware PROGRAMMER.
You will destroy the chip or motherboard removing it. I suggest the chip. Have a new chip on hand.

 

Sorry if I am cranky.
This is day 3 of NO caffeine...This is self imposed and may not last much longer. I am to the point that I m getting on my own nerves.

 

Shawn I know what you are going through. Day 37 for me. Been on these drugs and coffee taste like crap....not good

 

if i may inquire , what drugs might those be ?

yeppers ...
i quit caffeine (soda , tea , etc .) after i wound up in the hospital 4 years (?) ago ... mainly due to a viral infection chewing on/up my heart .
after that my BP was hard to control ... meds and other stuff required .
after quite some time my doc said i could have two cups of coffee in a 24 hour period .
oh boy !
heh ... here i was all set to enjoy a cup in the morning ... smelled ok ... took a sip and gagged a little .
can't say whether it was the meds , my taste buds and nose coming back to life (i had also quit smoking ... another neat story) or both .
i started making my own coffee and (eventually) i could have two cups a day without my BP/heart rate launching .

twice a day i recorded my BP/heart rate and other symptoms or notes on a spreadsheet held in my '30 and my main windows machine .
a friend commented after a couple of years : "i thought the caffeine and nicotine were affecting you adversely ... i can now see that that was not the case ... you are still a horses' arse" .

 

Yes, I read the github post. Very interesting but quite risky. In the case you have a full bios dump it is ok otherwise I wouldn't try it.

I saw that laptops that have a broken ME and don't report the version in BIOS they have a big delay until the display is turned on and starts booting. Something like 30 seconds or more. Also I noticed the issue with LAN card detection under Linux also could be caused by problem with ME firmware.

But from what you are saying it could be that your laptops have the ME removed from factory and this is working fine. Would be nice to have the option to order the laptop without ME firmware. Less issues I would say.

 

Standard boot delay as far as I am concerned.

 

Hello,

I would be interesting to have a full dump to see how they did it in the official way and not with me_cleaner.

Maybe you can have a look and post some details from the bios dump.

 

official way is supposed to be via HAP bit and maybe a org-specific ME

story: http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
code: https://github.com/corna/me_cleaner/commit/350903a695851dda20b2be5d6099b58e377653b7

 

oh lol, "the soviets" will be presenting a method for running UNSIGNED code inside ME v11+ in London during December.

https://www.blackhat.com/eu-17/brie...unsigned-code-in-intel-management-engine-8668

[..] In a subsystem change that will be detailed in the talk of Intel ME version 11+, a vulnerability was found. It allows an attacker of the machine to run unsigned code in PCH on any motherboard via Skylake+. The main system can remain functional, so the user may not even suspect that his or her computer now has malware resistant to reinstalling of the OS and updating BIOS. [..}