MozillaZine

Intel CPU vulnerabilities - both Windows and Linux

Discuss various technical topics not related to Mozilla.
Reflective

User avatar
 
Posts: 2260
Joined: February 15th, 2007, 11:13 am

Post Posted November 22nd, 2017, 11:18 am

Intel has identified a number of security vulnerabilities in its Management Engine (ME) and in Server Platform Services (SPS) which can be exploited to execute arbitrary code on the system. The vulnerability affects both Windows and Linux.

Since the vulnerability concerns the firmware it's up to manufacturers to address the issue by releasing a patch. Only Lenovo has been forthcoming so far and a firmware update can be downloaded from their site: https://support.lenovo.com/nl/en/produc ... /len-17297

The following CPUs are vulnerable to the exploit:

  • 6th, 7th, and 8th Generation Intel Core
  • Intel Xeon Processor E3-1200 v5 and v6
  • Intel Xeon Processor Scalable
  • Intel Xeon Processor W
  • Intel Atom C3000 Processor
  • Apollo Lake Intel Atom Processor E3900 series
  • Apollo Lake Intel Pentium
  • Celeron N and J series Processors
Intel has made a tool available to determine whether your machine is vulnerable to the exploit: https://downloadcenter.intel.com/download/27150

After extracting the zip file open the subfolder called DiscoveryToolGUI and run the exe file called Intel-SA-00086-GUI.exe (The exe may differ for the Linux version).

I ran it on my own machine and it only takes about 10 seconds to complete. In my particular case the result was negative due most likely to my Haswell CPU which is 5th generation, but the ghacks.net site owner, Martin Brinkman's own system is. There's an image of the scan result on his machine here: https://www.ghacks.net/2017/11/22/find- ... abilities/

Grumpus

User avatar
 
Posts: 11660
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Post Posted November 23rd, 2017, 9:05 am

This is the link for the Github Linux Detection and Mitigation tools
There's also this from the earlier article Neutralize ME on Sandy Bridge and Ivybridge
Original discovery article
This from the article:
Matthew Garrett wrote:Merely having a "vPRO" CPU and chipset isn't sufficient - your system vendor also needs to have licensed the AMT code. Under Linux, if lspci doesn't show a communication controller with "MEI" or "HECI" in the description, AMT isn't running and you're safe. If it does show an MEI controller, that still doesn't mean you're vulnerable - AMT may still not be provisioned. If you reboot you should see a brief firmware splash mentioning the ME. Hitting ctrl+p at this point should get you into a menu which should let you disable AMT.


Earlier Register Article

Grumpus

User avatar
 
Posts: 11660
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Post Posted December 7th, 2017, 6:28 am

How about a little update on this Intel Management Engine

Return to MozillaZine Tech


Who is online

Users browsing this forum: No registered users and 3 guests