Mobile and Desktop Processors
Intel® Core™ processors, Intel Atom® processors, tools, and utilities
Announcements
FPGA community forums and blogs have moved to the Altera Community. Existing Intel Community members can sign in with their current credentials.
16884 Discussions

Intel-SA-00086 not updating

RCask
Beginner
2,832 Views

Good afternoon,

I am currently working with my company to fix multiple machines with the Intel-SA-00086 vulnerability. We appear to be having success with HP model machines where the update is installed and then the detection tool reports back that the system is no longer vulnerable and has been patched. With Dell machines we are not having as much luck. We have currently tried a few Dell Optiplex 7010s and a few Dell Latitude E6530s. We have installed the Management Engine firmware update, but it appears the tool still sees the old firmware. I have uploaded some pictures of the tool output and what is in the registry on the computer.

For the registry picture I am looking at the ME key values located at: HKLM\SOFTWARE\WOW6432Node\Intel\ME

Is there any way that we can get an explanation of where exactly the tool is looking to find out if the machine is vulnerable? I have searched but don't find any documentation other than the user guide that only explains how to run the tool. Any assistance would be appreciated.

0 Kudos
1 Solution
RCask
Beginner
1,828 Views

After some more testing it appears that that the Dell machines require the full BIOS update. The only Management Engine update did not work. Once the BIOS update was installed, the detection tool came back green that the system was no longer vulnerable.

View solution in original post

0 Kudos
2 Replies
RCask
Beginner
1,829 Views

After some more testing it appears that that the Dell machines require the full BIOS update. The only Management Engine update did not work. Once the BIOS update was installed, the detection tool came back green that the system was no longer vulnerable.

0 Kudos
n_scott_pearson
Super User
1,828 Views

In general, each board/system vendor is going to release the update in one of two ways, (1) as part of a full F/W update (BIOS package), or (2) as a standalone ME F/W update. Method # 1 will likely be more common. Regardless, you will need to analyze each vendor separately to determine which update method is being supported.

...S

0 Kudos
Reply