Announcement

Collapse
No announcement yet.

Intel Releases Linux-Compatible Tool For Confirming ME Vulnerabilities

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Intel Releases Linux-Compatible Tool For Confirming ME Vulnerabilities

    Phoronix: Intel Releases Linux-Compatible Tool For Confirming ME Vulnerabilities

    Intel's SA-00086 Detection Tool has Linux support and will confirm whether your system is vulnerable to the recently published Management Engine (ME) security issues...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    Intel ME is wrong in so many ways. It just needs to vanish completely.

    Comment


    • #3



      kristoffer@kristoffer-ubuntu-desktop:~/Hämtningar$ sudo ./intel_sa00086.py
      [sudo] lösenord för kristoffer:
      INTEL-SA-00086 Detection Tool
      Copyright(C) 2017, Intel Corporation, All rights reserved

      Application Version: 1.0.0.128
      Scan date: 2017-11-23 18:42:57 GMT

      *** Host Computer Information ***
      Name: kristoffer-ubuntu-desktop
      Manufacturer: System manufacturer
      Model: System Product Name
      Processor Name: AMD Ryzen 7 1700X Eight-Core Processor
      OS Version: Ubuntu 17.10 artful (4.14.1-041401-generic)

      *** Risk Assessment ***
      Detection Error: This system may be vulnerable, please install the Intel(R) MEI/TXEI driver (available from your system manufacturer).

      For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:


      Comment


      • #4
        If you have a motherboard on this list, dual BIOS or a programmer capable of flashing BIOS EPROM chip then you can use me_cleaner to remove most of the intel ME code from your system:

        https://github.com/corna/me_cleaner (download bios, strip ME, flash bios). Vast majority of recent kernels do have no problems running without ME, but there is nonzero risk of bricking your motherboard (check issue #3 for success stories and tested boards).

        Comment


        • #5
          Originally posted by Brisse View Post



          kristoffer@kristoffer-ubuntu-desktop:~/Hämtningar$ sudo ./intel_sa00086.py
          [sudo] lösenord för kristoffer:
          INTEL-SA-00086 Detection Tool
          Copyright(C) 2017, Intel Corporation, All rights reserved

          Application Version: 1.0.0.128
          Scan date: 2017-11-23 18:42:57 GMT

          *** Host Computer Information ***
          Name: kristoffer-ubuntu-desktop
          Manufacturer: System manufacturer
          Model: System Product Name
          Processor Name: AMD Ryzen 7 1700X Eight-Core Processor
          OS Version: Ubuntu 17.10 artful (4.14.1-041401-generic)

          *** Risk Assessment ***
          Detection Error: This system may be vulnerable, please install the Intel(R) MEI/TXEI driver (available from your system manufacturer).

          For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:

          It took me 2 seconds to understand that you tested the Intel tool on a Ryzen system, nice one hahaha

          Comment


          • #6
            Originally posted by Brisse View Post
            ... please install the Intel(R) MEI/TXEI driver (available from your system manufacturer)...
            Christ on a bike. Do you know who my system manufacturer is? It's ME. Some of us know how to plug things into the sockets where they fit and then install an OS, it isn't that difficult (connecting the case wires to the mobo can be a bit fiddly, but hey).

            What's involved in sorting this out for those of us who don't get our stuff from Dell? Is it like a BIOS/UEFI update or something? Or is there an update you can run when you're actually booted into the OS?

            This is crap, the little I know about Intel ME is that it is very low level, how do they justify writing crappy code like this that's so difficult to diagnose and patch?

            Maybe they should have coded this stuff in Rust

            Comment


            • #7
              And how do we know that there is not another backdoor in this tool?

              Comment


              • #8
                Originally posted by Brisse View Post

                Yeah, don't know what the fuss is about either Brisse

                Code:
                $ ./intel_sa00086.py
                INTEL-SA-00086 Detection Tool
                Copyright(C) 2017, Intel Corporation, All rights reserved
                
                Application Version: 1.0.0.128
                Scan date: 2017-11-23 19:20:00 GMT
                
                *** Host Computer Information ***
                Name: khouri
                Manufacturer: ASUSTeK COMPUTER INC.
                Model: GL702ZC
                Processor Name: AMD Ryzen 7 1700 Eight-Core Processor
                OS Version: Fedora 27 Twenty Seven (4.14.1+)
                
                *** Risk Assessment ***
                Detection Error: This system may be vulnerable, please install the Intel(R) MEI/TXEI driver (available from your system manufacturer).
                
                For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:
                https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

                Comment


                • #9
                  Originally posted by kaprikawn View Post
                  Christ on a bike. Do you know who my system manufacturer is?
                  Yes, it's the motherboard manufacturer.

                  It's ME. Some of us know how to plug things into the sockets where they fit and then install an OS, it isn't that difficult (connecting the case wires to the mobo can be a bit fiddly, but hey).
                  This does not make you a "manufacturer" any more than a guy in a Ford assembly line is "manufacturing" cars.
                  You are just doing the dumb and menial job of connecting standardized components.

                  What's involved in sorting this out for those of us who don't get our stuff from Dell? Is it like a BIOS/UEFI update or something? Or is there an update you can run when you're actually booted into the OS?
                  It's a UEFI update and comes from your own board manufacturer.

                  Or, if you want to take the situation in your own hands you can buy a hardware flasher (to read/write manually the UEFI chip) and try the "me_cleaner" tool linked above that neutralizes the ME.

                  (the hardware flasher + another PC allows you to reflash back the original UEFI firmware in case something goes bad, among other things)

                  This is crap, the little I know about Intel ME is that it is very low level, how do they justify writing crappy code like this that's so difficult to diagnose and patch?
                  It allows their businness customers to maintain control over PCs and motherboards they sell to the end users, and they probably pay for the privilege.

                  Comment


                  • #10
                    Code:
                    Intel(R) spsInfo Version: 4.2.74.9
                    Copyright(C) 2005 - 2017, Intel Corporation. All rights reserved.
                    
                    Platform stepping value is 49
                    
                    Error 8193: Cannot locate ME device
                    Nice to see me_cleaner works

                    I used the cleaner on a Kaby Lake laptop; here's my report for anyone interested: https://github.com/corna/me_cleaner/...ment-343714315

                    Comment

                    Working...
                    X