Intel® NUCs
Support for Intel® NUC products
Announcements
Do you have improvements you would like us to make on this community site? If so, we would love to hear your feedback! Click here for an 8 question survey. Thanks!

11288 Discussions

NUC6CAYH vulnerable according CSME Version Detection Tool

RvdH
Novice
1,203 Views

Intel® Converged Security and Management Engine Version Detection Tool Version: 4.0.1.0 (3.1.0.0 as well BTW) reports the NUC6CAYH as being vulnerable on the Trusted Execution Engine being at version 3.1.70.2334

Latest bios update is from end 2019,  is the TXE going to be patched on this NUC model?

0 Kudos
30 Replies
Esteban_D_Intel
Moderator
920 Views

Hello RvdH,

Thank you for posting on the Intel® communities.  

The BIOS version 0066 contains security fixes. This BIOs version is dated for 12/17/2019.

I would strongly recommend the update of the latest BIOS version. You can find it here.


After the update of the BIOS please run the utility again. In case the vulnerability message still showing after the update I would appreciate if you could attach a picture of the message to the thread.


Please reply at your earliest convenience to check results.


Esteban D.

Intel Technical Support Technician  


RvdH
Novice
914 Views

@Esteban_D_Intel 

Sorry, i think you misunderstood me, the unit is already running the latest bios 0066I also have a NUC6CAYS model that reports the same issue,  this unit is also running the latest bios 0066

Screenshots attached, CSME Version Detection Tool 3.1.0.0 and CSME Version Detection Tool 4.0.1.0

RvdH
Novice
909 Views

SSU report 

BaseBoard Manufacturer	Intel Corporation	
BIOS Mode	Legacy	
BIOS Version/Date	Intel Corp. AYAPLCEL.86A.0066.2020.0107.1027 , 07-01-2020 12:00	
CD or DVD	Not Available	
Embedded Controller Version	22.0	
Platform Role	Desktop	
Processor	Intel(R) Celeron(R) CPU J3455 @ 1.50GHz , GenuineIntel	
Secure Boot State	On	
SMBIOS Version	3.0	
Sound Card	Not Available	
System Manufacturer	Intel Corporation	
System Model	NUC6CAYH	
System SKU	Not Available	
System Type	x64-based PC	
n_scott_pearson
Super User Retired Employee
900 Views

@RvdH,

The SSU tool has the capability to save the report as a text file. Please produce this file and attach to a response post.

...S 

Esteban_D_Intel
Moderator
890 Views

Hello RvdH,

Thank you so much for your response and clarification.


I would appreciate if you could attach the full SSU report following the steps below:

    

Intel® System Support Utility (Intel® SSU) Download link 

  

1. Open the application and click on "Scan" to see the system and device information. 

2. By default, Intel® SSU will take you to the "Summary View".   

3. Click on the menu where it says "Summary" to change to "Detailed View".   

4. To save your scan, click on "Next", then "Save".   

 

 

Esteban D.

Intel Technical Support Technician  


RvdH
Novice
885 Views

Why?  On the SSU excerpt it already shows my NUC bios is the latest...what more prove do you guys need?I do not feel comfortable to share details about my used RAM, Drives and OS here

n_scott_pearson
Super User Retired Employee
871 Views

Do you want help or not? You can send it to just the ICS rep (via personal message) if you don't want it there for the public. This means, however, that volunteer experts like myself cannot help you.

...S

RvdH
Novice
867 Views

Sure, but i can't understand why you need that SSU report, there is absolutely nothing in those SSU report(s) other that then the BIOS version... It holds no information whatsoever on TXE version and/or the vulnerability(s?) reported by both, CSME Version Detection Tool 3.1.0.0 and CSME Version Detection Tool 4.0.1.0....

RvdH
Novice
852 Views

FYI, there is something weird going on with SSU, on the NUC6CAYH the BIOS Mode reports 'Legacy' when connected thru a RDP connection, but when I login physically BIOS Mode reports 'EUFI'

 

Esteban_D_Intel
Moderator
833 Views

Hello RvdH,

We really appreciate your patience and the information provided.

I would like to inform you that we are currently investigating this matter.

I will provide an update as soon as possible in the thread.


Esteban D.

Intel Technical Support Technician  


RvdH
Novice
829 Views

OK, thanks

I saw somewhere the latest TXE firmware for 3.x is on 3.1.80.2400, as bios version 0066 is 3.1.70.2334 there seem to have quite a few patches since the latest update

RvdH
Novice
783 Views

Whilst i waiting for a updated bios and feedback, i would like to point out the microcode in BIOS 0066 is also outdated, as a newer microcode update revision 40 is available  as well

RvdH
Novice
729 Views

@Esteban_D_Intel , @n_scott_pearson 

FYI, today BIOS version 0067 appeared on the support site for NUC6CAYH/NUC6CAYS
TXE firmware is upgraded to 3.1.80.2400, thx for that!

Only to bad the microcode revision wasn't updated in a one go, microcode revision is still on 3C whilst microcode revision 40 is available for some time

RvdH
Novice
723 Views

Strange to see the Compute Card CD1C32GK, CD1C64GK, CD1P64GK has received the Apollo Lake Microcode Update M03506C9_00000040.PDB back in July, 2020 and even the latest BIOS version 0067 (December, 2020) for NUC6CAYH/NUC6CAYS still hasn't.....

Can anyone elaborate why this is?

n_scott_pearson
Super User Retired Employee
719 Views

Good question! I am endeavoring to get an answer from the development team...

...S

RvdH
Novice
698 Views

@n_scott_pearson , @Esteban_D_Intel 

There is no documentation available on what the Apollo Lake Microcode Update M03506C9_00000040.PDB exactly brings or does is it?
So most likely it possibly is a release to fix a open CVE or something like optimizations?

n_scott_pearson
Super User Retired Employee
686 Views

Actually, if it was a CVE, there would be an absolute (and urgent) requirement that the BIOS update package include this version. I sent a query to the folks I know on the development team, but I have received no response as of yet. I will ping them again Monday...

...S

RvdH
Novice
682 Views
RvdH
Novice
680 Views
I replied with a thumbs up emoji, but that doesn't seem to show (at least on my mobile)
n_scott_pearson
Super User Retired Employee
666 Views

Nor under browser. I sure miss being able to use emojis in my responses (I also miss being able to use dots in my account name; that too is a ridiculous restriction).

...S

Reply