12 Replies Latest reply on Dec 11, 2017 4:29 PM by 4meBeach

    Intel-SA-00086

    4meBeach

      Hello

       

      Regarding Intel-SA-00086

       

      If the manufacturer of the motherboard does not provide a patch for this bug, what can be done?

      From what I understand, firewalling does not help to protect from a hacker gaining access, but would it help with an external firewall/router?

      Intel-SA-00086

        • 1. Re: Intel-SA-00086
          Intel Corporation
          This message was posted on behalf of Intel Corporation

          Hi 4meBeach,

          I understand the motherboard maker still has not provided an update to fix the Intel SA-00086. I am sorry for the inconvenience.

          Please bear in mind that Intel has addressed this problem making an update available to equipment manufacturers. If you already consulted with your motherboard maker, I recommend checking with the board manufacturer for further updates for your computer model.

          Until the appropriate firmware update is applied, Intel highly recommends that system owners follow good security practices and ensure that potentially impacted systems are physically secured if possible.

          Regards,
          Allan J.
           

          • 2. Re: Intel-SA-00086
            4meBeach

            Hi Allan

             

            Thanks for your response.

             

            Its not that they have not provided an update, its that they seem to not care to make one at all even tho I've contacted them and provided them with several links to Intels web page for more information on the bug. The computers it regards are OEM from China, company named HYSTOU.

             

            My question remains, if its possible to protect against these bugs with an external firewall? If you know?

            I just bought two new computers from them, both vulnerable according to the Intel python scripts. So it kind of sucks if I now have tothrow these away just because of this bug. Several hundred of dollars down the drain if there is no way of stopping an attacker.

            • 3. Re: Intel-SA-00086
              N.Scott.Pearson

              Well Tony, I hope that you are screaming your displeasure with this vendor, who is obviously callous and completely uninterested in the security of the systems sold, every place that you can (including to them). Your opinion matters and, if you scream loud enough, long enough and widely enough, people will hear and start to avoid using this vendor's products as a result. The vendor will eventually get the message and address this bad attitude...

               

              If you have a good firewall between your subnet and the internet, a direct attacker won't be able to see that your systems even exists, let alone attack them. Still, most attacking software is loaded indirectly, not directly. In most cases, you actually invite this software into your systems though poor practices on your own part (visiting nefarious web sites, downloading software without verifying location or content, etc.). Make sure you are careful and make sure that you are always running a good internet protection package (like Norton, McAfee, etc.).

               

              ...S

              • 4. Re: Intel-SA-00086
                4meBeach

                Hey Scott

                 

                Yes, I'm still trying to get them to understand the importance of this update. I have as well contacted Aliexpress where their products are sold and asked the support to get in contact with the engineers of this company or someone higher up that m take it more seriously, but if they will have any better luck with it remains to be seen- but I doubt it.

                 

                I feel obligated to post the manufacturers name (HYSTOU) in case this page shows up in any search result on Google should anyone be so smart to do a bit of research before buying from them. Should they get back to me with a patch, I'll be sure to update this thread again clearing their name.

                 

                Thank you for clarifying this regarding firewalling and the risks associated with it.

                • 5. Re: Intel-SA-00086
                  4meBeach

                  I have a follow up question regarding these found bugs.

                  Its stated here: Intel® Management Engine Critical Firmware Update (Intel-SA-00086)

                  That the functions affected by these bugs are:

                  • Intel® Management Engine (Intel® ME)
                  • Intel® Trusted Execution Engine (Intel® TXE)
                  • Intel® Server Platform Services (SPS)

                   

                  So, when looking at the specifications for i3 7100U & N3050 CPUs, there is no mention of Management Engine nor of Server Platform Services, and for Trusted Execution Engine the specifications says 'no'. Does it mean that in these particular cases, the bugs does not affect these CPUs even tho its in the generation of CPUs that normally would have been effected?

                  N3050

                  • 6. Re: Intel-SA-00086
                    N.Scott.Pearson

                    Speculating is a waste of time. Run the tool and see if it says you are vulnerable. If it says you are not, then you have nothing to worry about. If it says you are, then you need to get a BIOS update from your board manufacturer that contains the fix for the vulnerability.

                     

                    ...S

                     

                    P.S. The embedded processors family (those ending in U) have a version of the Chipset (PCH) component embedded in their SOC. This PCH will contain those microcontrollers necessary for the capability set offered by the SOC. As far as I know, the ME is always included. It is the ME interface that is used for communicating with these microcontrollers and it is the ME interface that contains the vulnerability.

                    • 7. Re: Intel-SA-00086
                      4meBeach

                      Well, speculating is not a waste of time when they won't provide an update. I would prefer to not have to buy a new set of computers.

                      • 8. Re: Intel-SA-00086
                        N.Scott.Pearson

                        It most certainly is! Run the tool and you will know (that's why it was provided!).

                        ...S

                        • 9. Re: Intel-SA-00086
                          4meBeach

                          Yes Scott, I did of course run the tool (why I'm posting here). The tool says for two out of three computers here "Detection Error: This system may be vulnerable". But what does "may" mean? I read up further on the bug, and it seems that the biggest would be the web interface accessible through port 16992 (source https://www.blackhat.com/docs/us-17/thursday/us-17-Evdokimov-Intel-AMT-Stealth-Breakthrough-wp.pdf ). To my knowledge this web interface does not exist on either of these computers, at least not what I can access through my browser. I know from the PDF that the bug can still be exploited through local software, but my main concern would be access through the web.

                           

                          So to judge from this PDF, if port 16992 is blocked by external firewall, this would at least stop any remote attempt on exploiting this bug?

                          • 10. Re: Intel-SA-00086
                            4meBeach

                            ** bump **

                            • 11. Re: Intel-SA-00086
                              N.Scott.Pearson

                              Hhmmm, sorry Tony, I thought I responded to this conversation, but my response doesn't appear to be here. What I said - and knowing me, probably in a much more verbose fashion - was essentially: don't count on it. While the port may be blocked from external accesses, most attacks happen internally. That is, attacking software gets onto a system through some means (phishing, web access, etc.) and, if activated, can then attack any system on the subnet. Bottom line, you want to continue to push the board manufacturer to provide an updated firmware (BIOS) package that includes the fixes for this issue.

                               

                              ...S

                              • 12. Re: Intel-SA-00086
                                4meBeach

                                No worries Scott !

                                Ok, well, one of the computers was only supposed to do work for me and running scripts all day long. Nobody will be using the computer and it will have no services besides port 80 open so I would not be to concerned about it if blocking the web-access port will be effective for blocking network attacks.

                                 

                                But I tell you, finding fan-less mini-computers (as these are) with good performance is hard- and once you go fan-less you don't want to go back. Thats kind of the biggest issue to be hones. I mean, there are thousands of computers to choose from if I were to get new ones, but to find something that has the kind of performance they are selling and is completely silent seems impossible. Usually its like J1900 or some Atom CPU compared to i3/i5 or i7 from China. Going from a 1037U to i3 was a big step up and big difference in performance.

                                 

                                Anyway, I've tried to the best of my ability to contact them, even tried getting in contact with them through their forum ( topminipc.com - Index page  ) but it seems the moderator has to approve all messages before they are posted, and since my message isn't showing up I'm guessing they are removing it to avoid the issue. I'm baffled that a company would act like this and tho I very much like the fan-less models I really regret buying them. Such a mess.