This message was posted on behalf of Intel Corporation
I understand the motherboard maker still has not provided an update to fix the Intel SA-00086. I am sorry for the inconvenience.
Please bear in mind that Intel has addressed this problem making an update available to equipment manufacturers. If you already consulted with your motherboard maker, I recommend checking with the board manufacturer for further updates for your computer model.
Until the appropriate firmware update is applied, Intel highly recommends that system owners follow good security practices and ensure that potentially impacted systems are physically secured if possible.
Thanks for your response.
Its not that they have not provided an update, its that they seem to not care to make one at all even tho I've contacted them and provided them with several links to Intels web page for more information on the bug. The computers it regards are OEM from China, company named HYSTOU.
My question remains, if its possible to protect against these bugs with an external firewall? If you know?
I just bought two new computers from them, both vulnerable according to the Intel python scripts. So it kind of sucks if I now have tothrow these away just because of this bug. Several hundred of dollars down the drain if there is no way of stopping an attacker.
Well Tony, I hope that you are screaming your displeasure with this vendor, who is obviously callous and completely uninterested in the security of the systems sold, every place that you can (including to them). Your opinion matters and, if you scream loud enough, long enough and widely enough, people will hear and start to avoid using this vendor's products as a result. The vendor will eventually get the message and address this bad attitude...
If you have a good firewall between your subnet and the internet, a direct attacker won't be able to see that your systems even exists, let alone attack them. Still, most attacking software is loaded indirectly, not directly. In most cases, you actually invite this software into your systems though poor practices on your own part (visiting nefarious web sites, downloading software without verifying location or content, etc.). Make sure you are careful and make sure that you are always running a good internet protection package (like Norton, McAfee, etc.).
Yes, I'm still trying to get them to understand the importance of this update. I have as well contacted Aliexpress where their products are sold and asked the support to get in contact with the engineers of this company or someone higher up that m take it more seriously, but if they will have any better luck with it remains to be seen- but I doubt it.
I feel obligated to post the manufacturers name (HYSTOU) in case this page shows up in any search result on Google should anyone be so smart to do a bit of research before buying from them. Should they get back to me with a patch, I'll be sure to update this thread again clearing their name.
Thank you for clarifying this regarding firewalling and the risks associated with it.
I have a follow up question regarding these found bugs.
Its stated here: Intel® Management Engine Critical Firmware Update (Intel-SA-00086)
That the functions affected by these bugs are:
- Intel® Management Engine (Intel® ME)
- Intel® Trusted Execution Engine (Intel® TXE)
- Intel® Server Platform Services (SPS)
So, when looking at the specifications for i3 7100U & N3050 CPUs, there is no mention of Management Engine nor of Server Platform Services, and for Trusted Execution Engine the specifications says 'no'. Does it mean that in these particular cases, the bugs does not affect these CPUs even tho its in the generation of CPUs that normally would have been effected?
Speculating is a waste of time. Run the tool and see if it says you are vulnerable. If it says you are not, then you have nothing to worry about. If it says you are, then you need to get a BIOS update from your board manufacturer that contains the fix for the vulnerability.
P.S. The embedded processors family (those ending in U) have a version of the Chipset (PCH) component embedded in their SOC. This PCH will contain those microcontrollers necessary for the capability set offered by the SOC. As far as I know, the ME is always included. It is the ME interface that is used for communicating with these microcontrollers and it is the ME interface that contains the vulnerability.
Well, speculating is not a waste of time when they won't provide an update. I would prefer to not have to buy a new set of computers.
It most certainly is! Run the tool and you will know (that's why it was provided!).
Yes Scott, I did of course run the tool (why I'm posting here). The tool says for two out of three computers here "Detection Error: This system may be vulnerable". But what does "may" mean? I read up further on the bug, and it seems that the biggest would be the web interface accessible through port 16992 (source https://www.blackhat.com/docs/us-17/thursday/us-17-Evdokimov-Intel-AMT-Stealth-Breakthrough-wp.pdf ). To my knowledge this web interface does not exist on either of these computers, at least not what I can access through my browser. I know from the PDF that the bug can still be exploited through local software, but my main concern would be access through the web.
So to judge from this PDF, if port 16992 is blocked by external firewall, this would at least stop any remote attempt on exploiting this bug?
** bump **
Hhmmm, sorry Tony, I thought I responded to this conversation, but my response doesn't appear to be here. What I said - and knowing me, probably in a much more verbose fashion - was essentially: don't count on it. While the port may be blocked from external accesses, most attacks happen internally. That is, attacking software gets onto a system through some means (phishing, web access, etc.) and, if activated, can then attack any system on the subnet. Bottom line, you want to continue to push the board manufacturer to provide an updated firmware (BIOS) package that includes the fixes for this issue.
No worries Scott !
Ok, well, one of the computers was only supposed to do work for me and running scripts all day long. Nobody will be using the computer and it will have no services besides port 80 open so I would not be to concerned about it if blocking the web-access port will be effective for blocking network attacks.
But I tell you, finding fan-less mini-computers (as these are) with good performance is hard- and once you go fan-less you don't want to go back. Thats kind of the biggest issue to be hones. I mean, there are thousands of computers to choose from if I were to get new ones, but to find something that has the kind of performance they are selling and is completely silent seems impossible. Usually its like J1900 or some Atom CPU compared to i3/i5 or i7 from China. Going from a 1037U to i3 was a big step up and big difference in performance.
Anyway, I've tried to the best of my ability to contact them, even tried getting in contact with them through their forum ( topminipc.com - Index page ) but it seems the moderator has to approve all messages before they are posted, and since my message isn't showing up I'm guessing they are removing it to avoid the issue. I'm baffled that a company would act like this and tho I very much like the fan-less models I really regret buying them. Such a mess.
Follow up question:
I updated my microcode under Linux. Does this solve this particular bug?
No, absolutely not! The SA-00086 vulnerabilities are in the firmware for the Management Engine. The only way to address these vulnerabilities is with updated ME firmware. Further, since the location of the ME firmware within the Firmware Hub is controlled by the BIOS designer, Intel cannot provide a generic update package for this firmware. As a result - and also because the ME firmware is bundled with the BIOS firmware - you need a BIOS update to get this firmware.