NUC6CAYH vulnerable according CSME Version Detection Tool

RvdH · ‎11-18-2020

Intel® Converged Security and Management Engine Version Detection Tool Version: 4.0.1.0 (3.1.0.0 as well BTW) reports the NUC6CAYH as being vulnerable on the Trusted Execution Engine being at version 3.1.70.2334

Latest bios update is from end 2019, is the TXE going to be patched on this NUC model?

Esteban_D_Intel · ‎11-19-2020

Hello RvdH,

Thank you for posting on the Intel® communities.

The BIOS version 0066 contains security fixes. This BIOs version is dated for 12/17/2019.

I would strongly recommend the update of the latest BIOS version. You can find it here.

After the update of the BIOS please run the utility again. In case the vulnerability message still showing after the update I would appreciate if you could attach a picture of the message to the thread.

Please reply at your earliest convenience to check results.

Esteban D.

Intel Technical Support Technician

RvdH · ‎11-19-2020

@Esteban_D_Intel

Sorry, i think you misunderstood me, the unit is already running the latest bios 0066I also have a NUC6CAYS model that reports the same issue, this unit is also running the latest bios 0066

Screenshots attached, CSME Version Detection Tool 3.1.0.0 and CSME Version Detection Tool 4.0.1.0

RvdH · ‎11-19-2020

SSU report

BaseBoard Manufacturer	Intel Corporation	
BIOS Mode	Legacy	
BIOS Version/Date	Intel Corp. AYAPLCEL.86A.0066.2020.0107.1027 , 07-01-2020 12:00	
CD or DVD	Not Available	
Embedded Controller Version	22.0	
Platform Role	Desktop	
Processor	Intel(R) Celeron(R) CPU J3455 @ 1.50GHz , GenuineIntel	
Secure Boot State	On	
SMBIOS Version	3.0	
Sound Card	Not Available	
System Manufacturer	Intel Corporation	
System Model	NUC6CAYH	
System SKU	Not Available	
System Type	x64-based PC

n_scott_pearson · ‎11-19-2020

@RvdH,

The SSU tool has the capability to save the report as a text file. Please produce this file and attach to a response post.

...S

Esteban_D_Intel · ‎11-20-2020

Hello RvdH,

Thank you so much for your response and clarification.

I would appreciate if you could attach the full SSU report following the steps below:

Intel® System Support Utility (Intel® SSU) Download link

1. Open the application and click on "Scan" to see the system and device information.

2. By default, Intel® SSU will take you to the "Summary View".

3. Click on the menu where it says "Summary" to change to "Detailed View".

4. To save your scan, click on "Next", then "Save".

Esteban D.

Intel Technical Support Technician

RvdH · ‎11-20-2020

Why? On the SSU excerpt it already shows my NUC bios is the latest...what more prove do you guys need?I do not feel comfortable to share details about my used RAM, Drives and OS here

n_scott_pearson · ‎11-20-2020

Do you want help or not? You can send it to just the ICS rep (via personal message) if you don't want it there for the public. This means, however, that volunteer experts like myself cannot help you.

...S

RvdH · ‎11-20-2020

Sure, but i can't understand why you need that SSU report, there is absolutely nothing in those SSU report(s) other that then the BIOS version... It holds no information whatsoever on TXE version and/or the vulnerability(s?) reported by both, CSME Version Detection Tool 3.1.0.0 and CSME Version Detection Tool 4.0.1.0....

RvdH · ‎11-20-2020

FYI, there is something weird going on with SSU, on the NUC6CAYH the BIOS Mode reports 'Legacy' when connected thru a RDP connection, but when I login physically BIOS Mode reports 'EUFI'

Esteban_D_Intel · ‎11-23-2020

Hello RvdH,

We really appreciate your patience and the information provided.

I would like to inform you that we are currently investigating this matter.

I will provide an update as soon as possible in the thread.

Esteban D.

Intel Technical Support Technician

RvdH · ‎11-23-2020

OK, thanks

I saw somewhere the latest TXE firmware for 3.x is on 3.1.80.2400, as bios version 0066 is 3.1.70.2334 there seem to have quite a few patches since the latest update

RvdH · ‎12-19-2020

Whilst i waiting for a updated bios and feedback, i would like to point out the microcode in BIOS 0066 is also outdated, as a newer microcode update revision 40 is available as well

RvdH · ‎01-21-2021

@Esteban_D_Intel , @n_scott_pearson

FYI, today BIOS version 0067 appeared on the support site for NUC6CAYH/NUC6CAYS
TXE firmware is upgraded to 3.1.80.2400, thx for that!

Only to bad the microcode revision wasn't updated in a one go, microcode revision is still on 3C whilst microcode revision 40 is available for some time

RvdH · ‎01-21-2021

Strange to see the Compute Card CD1C32GK, CD1C64GK, CD1P64GK has received the Apollo Lake Microcode Update M03506C9_00000040.PDB back in July, 2020 and even the latest BIOS version 0067 (December, 2020) for NUC6CAYH/NUC6CAYS still hasn't.....

Can anyone elaborate why this is?

n_scott_pearson · ‎01-21-2021

Good question! I am endeavoring to get an answer from the development team...

...S

RvdH · ‎01-23-2021

@n_scott_pearson , @Esteban_D_Intel

There is no documentation available on what the Apollo Lake Microcode Update M03506C9_00000040.PDB exactly brings or does is it?
So most likely it possibly is a release to fix a open CVE or something like optimizations?

n_scott_pearson · ‎01-23-2021

Actually, if it was a CVE, there would be an absolute (and urgent) requirement that the BIOS update package include this version. I sent a query to the folks I know on the development team, but I have received no response as of yet. I will ping them again Monday...

...S

RvdH · ‎01-23-2021

RvdH · ‎01-23-2021

I replied with a thumbs up emoji, but that doesn't seem to show (at least on my mobile)

n_scott_pearson · ‎01-23-2021

Nor under browser. I sure miss being able to use emojis in my responses (I also miss being able to use dots in my account name; that too is a ridiculous restriction).

...S