5 Replies Latest reply on Jun 9, 2017 12:28 PM by michael_a_intel

    microLMS running after FW Patching to fix SA-00075

    caegear

      Hello all, -hope this is the correct place for my SA-00075-related questions.

       

      I got my new used laptop (HP Elitebook 8770w) 15th of may. Installed clean Win7 64-b, and went on to load and update drivers. Found several that made me look closely at anything related to SA-00075, because it is a vPro system.

       

      HP has a Patch for 00075 that I have applied:

      - Intel Corporate Management Engine (ME) Firmware Component - Version: 8.1.71.3608

       

      HP also has a BIOS update that I have applied:

      - SOFTPAQ FILE NAME: SP79723.exe - BIOS VERSION: F.65 REV: A PASS: 1

       

      I have run several of the recommended Intel diagnostics tools trying to determine wether my system now is safe and secure (preferably safe enough for me to start using ME / AMT), and the one that both confuses me the most and at the same time looks to give most useful information, is the "INTEL SA-00075 DiscoveryTool", that outputs this information:

       

      Risk Assessment

      Based on the version of the ME, the System is Check With OEM.

      If Vulnerable, contact your OEM for support and remediation of this system.

      For more information, refer to CVE-2017-5689 in the following link: CVE-2017-5689

      or the Intel security advisory Intel-SA-00075 in the following link: INTEL-SA-00075

      INTEL-SA-00075 Discovery Tool GUI Version

      Application Version: 1.0.1.39

      Scan date: 20.05.2017 13:44:05

       

      Host Computer Information

      Name: CAEGEAR-PC

      Manufacturer: Hewlett-Packard

      Model: HP EliteBook 8770w

      Processor Name: Intel(R) Core(TM) i7-3720QM CPU @ 2.60GHz

      Windows Version: Microsoft Windows 7 Professional

       

      ME Information

      Version: Unknown

      SKU: Unknown

      Provisioning Mode: None Detected

      Control Mode: None

      Is CCM Disabled: Unknown

      Driver installation found: False

      EHBC Enabled: False

      LMS service state: NotPresent

      microLMS service state: Running

       

      First question:

      I gather the status: "Check with OEM" means Intel cant confirm HPs Patch for ME is fixing the 00075. Neither does HP supply me with a probing tool that lets me know 00075 is fixed after Patch. Would anyone share their take on wether I can assume "Check with OEM" means Im ok as long as i Patched according to OEM?

       

      Second, and more important (to me anyway) question:

      I have not installed or started a service called "microLMS". I can not find it (or info about it) in the registry or in any documentation available to me (locally, from HP, here on intel site, or in google). I have found that one version of this "microLMS" is placed in the extraction-folder tor the Intel SA Discovery Tool, and I have found another, much larger file online from Mesh Commander / Intel Mesh / Mesh Central (MeshCentral ). Both are called "Mesh Agent Service", -one signed by "MasterRoot" and one signed "Intel". I quess the first of these is a Beta version Intel Mesh Central use for web UI, and the second one extracted by Discovery tool is some "full version" of this small LMS service. The one Mesh Central / Mesh Commander use is afaik (and according to Ylian @ intel / meshcentral) just a port forwarding tool for integration between AMT and Web UI / Meshes. What the Intel signed smaller one is, I have no idea.

       

      Screenshots of the two "microLMS" exes properties:

      scr001.png

      scr002.png

      scr003.png

       

      And (tadaaa...) my question is:

      Is there an actual service running on my computer called "microLMS"? Does the Discovery tool from Intel invoke it from its own directory upon start of Tool for some kind of auditing purpouse? Is it used to confirm port binding of some sort and thus the last line in the result from the Discovery tool stating "microLMS service state: Running", does not mean a LMS service is actually running on my system?

       

      As I said, I can not for the life of me find a service through Windows GUI that remotely looks like it is called "Mesh agent service", Meshagent, microLMS, or anything containing those words. Nor have I installed anything other than drivers and updates to the fresh (as of 15. may 2017) Windows 7 64-bit Pro. If I have a service running, I would love to know where it originated from (how it even came to reside on my s\ystem), If I can disable it, but maybe more importantly if it is an actual indication of a running service that I may or may not want.

       

      Sorry this post may be a bit long. I am trying to relay enough information for anyone to maybe understand me, and I am not very versed in many of the (to me) complex IT-systems-related terms I suddenly find I am kind of forced to understand in order to make my new (used of course) HP Elitebook 8770w actually be mine to administer

        • 1. Re: microLMS running after FW Patching to fix SA-00075
          michael_a_intel

          caegear

           

          Hi there,

           

          No apology necessary for the long post, we actually like a LOT of detail when reading through these so we can formulate the best response, so thank you for the detail.  I believe in your post, you have two questions.  Please let me know if I missed something and apologies for the delay in response:

           

           

          First question:

          I gather the status: "Check with OEM" means Intel cant confirm HPs Patch for ME is fixing the 00075. Neither does HP supply me with a probing tool that lets me know 00075 is fixed after Patch. Would anyone share their take on wether I can assume "Check with OEM" means Im ok as long as i Patched according to OEM?

           

          Answer:

          If applied HP Version: 8.1.71.3608 patch and firmware has been validated by OEM and then an unprovision/reprovision of your system (if provisioned previously) then your system is considered remediated.

           

          Second, and more important (to me anyway) question:

          I have not installed or started a service called "microLMS". I can not find it (or info about it) in the registry or in any documentation available to me (locally, from HP, here on intel site, or in google). I have found that one version of this "microLMS" is placed in the extraction-folder tor the Intel SA Discovery Tool, and I have found another, much larger file online from Mesh Commander / Intel Mesh / Mesh Central (MeshCentral ). Both are called "Mesh Agent Service", -one signed by "MasterRoot" and one signed "Intel". I quess the first of these is a Beta version Intel Mesh Central use for web UI, and the second one extracted by Discovery tool is some "full version" of this small LMS service. The one Mesh Central / Mesh Commander use is afaik (and according to Ylian @ intel / meshcentral) just a port forwarding tool for integration between AMT and Web UI / Meshes. What the Intel signed smaller one is, I have no idea.

           

          Is there an actual service running on my computer called "microLMS"? Does the Discovery tool from Intel invoke it from its own directory upon start of Tool for some kind of auditing purpouse? Is it used to confirm port binding of some sort and thus the last line in the result from the Discovery tool stating "microLMS service state: Running", does not mean a LMS service is actually running on my system?

           

          Answer:

          The discovery tool utilizes MicroLMS, for example, if a system is not running LMS, the discovery tool will run MicroLMS included with the tool. MicroLMS is needed for a local application to talk down to the firmware.

          2 of 2 people found this helpful
          • 2. Re: microLMS running after FW Patching to fix SA-00075
            caegear

            Thank you Michael! I have applied the patch, but I did encounter some snags on the way related to HP SoftPaq seemingly "forgetting" I had applied it, and asking me to apply it again every time I rebooted. After three tries I posted my question here. Since I could not tell wether my system was actually Patched or not (Discovery Tool did not yield anything absolute) and SoftPaq repeatedly asked me to install it, I also have followed several mitigation guides just in case.

             

            HP support is  still trying to help me figure out what hppened to SoftPaq, and they are trying to help me verify the Patch is actually applied.

             

            Is there any way I can check if my ME version is now updated? The only mentions of its versions that I have been able to get from any app, applet or Commands (from Admin-elevated CMD-prompts) after a week of trying to patch and confirm is from HWINFO64 reporting this:

            MEver001.png

            MEver002.png

            MEver003.png

             

            I checked in BIOS (selected ESC during boot and then option F6 (MEBx)) to see what the menu said, and it says the same as HWINFO64. This is the heading of my MEBx BIOS page: "Intel (r) Management Engine BIOS Extension v8.0.0.0069 / Intel (r) ME v8.1.3.1350".

            Does this not contradict me having succsessfully Patched?

             

            I have contacted HP support, and they have spent a couple of days trying to help me (running apps and commands that all fail getting anything other than error messages), to no avail. They are still looking into "my case" and why SoftPaq behaves erratic, and I am sure they will figure something out in the end.

             

            Short recap of HP help in the making:@

            hp_sp80195a.png

            (I am sure this screendump reveals my lack of experience in this field -and yes, I only executed the first line. All the rest magically happened...)

             

            But until then. Please, do you know of any way I can check my current ME version for sure?

             

            When you say HP should first verify Patch is ok, then I should unprovision and then reprovosion, -does that mean I should provosion my ME / AMT in MEBx before I apply the Patch in the first place? I suspect I may have my laptop in "Factory State" regarding ME. And I am sure I have done everything humanly possible to stop anything from running at OS level related to ME / AMT. I have never entered MEBx and set a password.

             

            Thank you again!

             

            Claus

            • 3. Re: microLMS running after FW Patching to fix SA-00075
              michael_a_intel

              caegear

               

              Hi Claus,

               

              To check current ME version for sure, there are many options to do this.  The easiest is to boot to MEBx on the system.  Usually, on startup on an HP system, if you hit ESC, it will bring you to a menu where you can access MEBx...from there you can check what version of ME you are running.

               

              Alternatively you can download the SCS_download_package here: Download Intel® Setup and Configuration Software (Intel® SCS) and in the "configurator" folder, there is an executable called ACUConfig.exe which you must run in an administrative command prompt.  You MUST be running LMS or it won't work.  Run this command:

               

              ACUConfig.exe SystemDiscovery
              ACUCOnfig.exe Status

              You can also download the MEI driver package from HP for your system and run MEInfo.exe.

               

              For your second question:

               

              By default, your system will not be provisioned.  This is something that you would have to do.  You had it a little backwards...

              IF your system is provisioned, you must UNPROVISION, update the firmware (closes the vulnerability) and then provision if you want to be able to manage the endpoint.

               

              Let me know if you have more questions.

               

              Regards,

              Michael

              1 of 1 people found this helpful
              • 4. Re: microLMS running after FW Patching to fix SA-00075
                caegear

                Michael,

                 

                Thank you so much! I have got it Patched now, thanks to your input. Just for reference, -if anyone ever manages to mess this thing up to the extent I did,

                Here are the steps I had to take:

                 

                1: Started SoftPaq (HP drivers and updates suite) and ignored its claims regarding what was downloaded and what was installed.

                I then Found the MEI drivers "Intel Management Engine Interface (MEI) Driver" (SoftPaq 57380) and installed them

                - This Driver reinstalled and started LMS, UNS and ME services / drivers to my OS, and I let them all have full access to whatever Network connections they wanted

                 

                This is a screen capture of the SoftPaq window:

                vuln_ME4.png

                 

                2: Tried to install the HP SoftPaq SP80195 again, but it failed like before. It just flashed a CMD-prompt and exited without any info given, other than the

                OS.log file located in the SP80195 extraction directory is updated with current date.

                 

                3: Rebooted, and entered MEBx BIOS. MEBx page still said: "Intel (r) Management Engine BIOS Extension v8.0.0.0069 / Intel (r) ME v8.1.3.1350", so Patch not applied.

                 

                4: Exited MEBx BIOS page and booted to Windows

                 

                5: After Boot, I ran the Intel-SA-00075-GUI.exe, and it showed this:

                vuln_ME.png

                I found it strange LMS was not running, and went into Start > Control Panel > Administrative Tools > Services, and double checked the service was indeed running,

                and ran the Discovery Tool again:

                vuln_ME1.png

                I guess the Service just needed a bit more time to start than I had given it...

                 

                6: Started HP SoftPaq and selected the sp80195 from the "This Computer > Downloaded SoftPaqs" window. I right-clicked it and selected

                "Unpack to directory" and renamed the default directory (sp80195) to "sp80195a":

                vuln_ME5.png

                 

                7: I then navigated to the new "sp80195a" directory, and double-clicked the "CallInst.exe", and that _finally_ seemed to unpack, install and Patch

                my Firmware (The CMD-prompt did not just flash and fail, but ran a full install that took a minute or so...):

                vuln_ME2.png

                8: I rebooted, and ran the Discovery Tool again, and there it was:

                vuln_ME3.png

                 

                Finishing off

                I guess my last steps will be to decide If I am going to let all the ME-services and components keep running on my system or if I will disable

                everything again. It is tempting to Provision my system and play around with this to see if I find it useful to be able to access my system remotely,

                but my system is only managed by me and its use will be solely CAD / CAM and 2D design and I cant actually imagine a scenario where I would

                benefit from having this running in the background.

                 

                - - - -

                 

                Just out of curiosity, I ran a fresh PassMark on my system to see if there was any noticeable effects of having the services running:

                 

                Before ME Patch:

                passmark_hp8770wbeforeME.png

                After ME Patch:

                passmark_hp8770wAfterMEacti.png

                I dont think those differences has anything to do with this Patch, and it will not be noticeable that the LMS, UNS, ME services are running...

                 

                And My HWINFO64-info now looks like this:

                hwinfo001.png

                hwinfo002.png

                hwinfo003.png

                 

                And a new drop-down is present after Update and Patch showing "Intel ME" as a separate listing:

                hwinfo004.png

                 

                So. Thank you again Michael!

                All in all, it looks like what was needed was for me to understand that I had to install the MEI-drivers and let all services (LMS, UNS, ME)

                be running before I could Patch. I know I could have just said "thank you Michael, -it worked" and left this post at that, but just in case anyone

                else tries to solve similar problems, I do all those screendumps and flood this topic with info

                 

                - Guess this entire post should be renamed "How to unmess ME and apply SA00075-Patch after having followed too many Mitigation guides

                online without understanding what one is doing"...

                 

                Claus

                • 5. Re: microLMS running after FW Patching to fix SA-00075
                  michael_a_intel

                  caegear

                   

                  Hi Claus,

                   

                  I really enjoyed reading the information you posted.  I also agree, you could have just said "thank you" but your post is SO much better, especially for other community members to read.  Thank you Claus for all of the effort you've given.  I'm going to have to favorite this one! 

                   

                  Regards,

                  Michael