cancel
Showing results for 
Search instead for 
Did you mean: 

Intel® Management Engine Critical Firmware Update (Intel-SA-00086)

peatrick
Level 8
Are we going to be able to get a BIOS/firmware update for this vulnerability? I realize our boards are ~2 years old at this point, but it's a pain point to continue to deal with Intel's Management Engine on essentially every product on the market.

82356

I don't expect a fix to be released already, as this was last released/updated just over a week ago, but it'd be nice to know we can expect to see something in the future. Thanks for your time.

EDIT: Intel left this link, but i'm not able to make much sense of it (not to mention it's also, nearly two years old): https://www.asus.com/News/q5R9EixxfAqo1anZ
5,577 Views
10 REPLIES 10

Elkmar
Level 8
peatrick, what mb do you use?

Also, for this vulnerability asus upload firmware to their servers (and also bios updates with this fix are presented), just go to download page of your mb.
English is not my native language, so I'm sorry if I make some mistakes.

peatrick
Level 8
Thank you very very much for the prompt response, @Elkmar -- apparently I haven't done enough homework, or reading. I have the ROG MAXIMUS IX HERO and am running BIOS version 1301, from way back on 2018/04/20: https://www.asus.com/us/Motherboards/ROG-MAXIMUS-IX-HERO/HelpDesk_BIOS/

I'm missing what update I should be applying. Will continue poking around, but don't think we have anything to fix this. At least not according to Intel's tool, my system is still vulnerable (as you can see from the above image). Maybe i missed something, will go back and look through more downloads.

EDIT: I just noticed your pull-down system specs! We have nearly the same PC. Same CPU & mobo. You have impeccable taste!

EDIT2: I checked through all the motherboard drivers, tools, BIOS & firmware releases and there's nothing more recent than what I already have. This is really unfortunate, I don't get how to resolve this. Happen to have any links? If you run the test through on your machine, does it also say "vulnerable" or have you successfully patched your system?

My IMEI says version 1910.13.0.1060 from March 4, 2019 -- but the tool still suggests i'm vulnerable. >.<

Elkmar
Level 8
I think that problem is not SA-00086 🙂

I have seen you screencap again and have noticed that this tool detects SA-00213. We have not "official" asus download for fix of this vulnerability but we can use firmware from this thread (I have done this and have zero problems, but do it at your own risk!😞 https://rog.asus.com/forum/showthread.php?105726-FIRMWARE-Intel-ME-(1xx-2xx-Series-amp-B365-Z370)
English is not my native language, so I'm sorry if I make some mistakes.

Elkmar wrote:
I think that problem is not SA-00086 🙂


Thank you, thank you, @Elkmar sir! I'll look into this later this evening, first chance I get. I fired up my laptop (HP Spectre x360, from 2017) to verify and that said "This system has been patched"


  • HP Spectre x360 - 15-bl112dx
  • Intel Core i7-8550U (1.8 GHz base frequency, up to 4 GHz with Intel Turbo Boost Technology, 8 MB cache, 4 cores)
  • 16 GB DDR4-2133 SDRAM (2 x 8 GB)
  • NVIDIA GeForce MX150 (2 GB GDDR5 dedicated)
  • 512 GB PCIe NVMe M.2 SSD


Not sure exactly what motherboard it has, but i've gotten a recent BIOS / firmware patch directly from HP, which seems to have resolved the issue, however I'm struggling to patch this on my desktop.

EDIT: Currently running IMEI firmware version: 1910.13.0.1060 from March 4, 2019. -- so this is something we can directly download from Intel's website? I was skeptical of using the mega download link location, prefer to use official sources when possible. This tool, suggests we can only get these from our motherboard manufacturers?

>> https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

Frequently asked questions:​

Q: The Intel CSME Version Detection Tool reports that my system is vulnerable. What do I do?
A: Intel has provided system and motherboard manufacturers with the necessary firmware and software updates to resolve the vulnerabilities identified in Security Advisory Intel-SA-00086.

Contact your system or motherboard manufacturer regarding their plans for making the updates available to end users.

Some manufacturers have provided Intel with a direct link for their customers to obtain additional information and available software updates (Refer to the list below).

Q: Why do I need to contact my system or motherboard manufacturer? Why can’t Intel provide the necessary update for my system?
A: Intel is unable to provide a generic update due to management engine firmware customizations performed by system and motherboard manufacturers.

Elkmar
Level 8
peatrick, 1910.13.0.1060 is not FW, it's windows driver!

IME consists of two parts: driver for OS (which we can use from intel site) and firmware which is the part of bios. IME firmware also consists of some parts. Firmware update often changes only intel's part.
If you want to know more about intel management engine - read this topic: https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html

Also on your screen from your first message I see in the explanation that tool find SA-00213, not SA-00086 (and the link in that explanation completely different from https://www.intel.com/content/www/us/en/support/articles/000025619/software.html! Be more careful!). And if we want to fix this vulnerability than we must use new firmware that we can get from win-raid forum (see link in this message) or from MoKiChU's topic, asus does not provide this file (and if asus get us this file - it's be the same as file from sources that I pointed out). I used MoKiChU's file for update and all works fine.
English is not my native language, so I'm sorry if I make some mistakes.

peatrick
Level 8
What happens when you run this tool through, @Elkmar, sir? Thank you for continuing to assist me with this.

> https://downloadcenter.intel.com/download/28632

Or if you prefer, a direct download link (for Windows tool).

My results:
----------
Tool Started 10/10/2019 5:37:18 PM
Name: i7
Manufacturer: System manufacturer
Model: System Product Name
Processor Name: Intel(R) Core(TM) i7-7700K CPU @ 4.20GHz
OS Version: Microsoft Windows 10 Pro
Status: This system is vulnerable.
Tool Stopped

Elkmar
Level 8
See attachment. I emphasized IME firmware version (firmware is from MoKiChU's topic as I said earlier). IME driver is the last from intel site (https://downloadcenter.intel.com/download/28679/Intel-Management-Engine-Driver-for-Windows-8-1-and-W...).
English is not my native language, so I'm sorry if I make some mistakes.

Elkmar wrote:
See attachment. I emphasized IME firmware version (firmware is from MoKiChU's topic as I said earlier). IME driver is the last from intel site (https://downloadcenter.intel.com/download/28679/Intel-Management-Engine-Driver-for-Windows-8-1-and-W...).


82572

I'm definitely a version (or three) behind. Thank you again for your patience and expertise while I attempt to lock down this vulnerability.

Hi.

How is it possible that ASUS does not provide a file to solve the vulnerability SA-00213 as it did with SA-00086?

Now we have two vulnerabilities that are present and that ASUS does not resolve by providing a file for SA-00213 and SA-00241.

https://www.intel.com/content/www/us/en/support/articles/000031784/technologies.html