I got two different versions of Intel-SA-00086 detection tool downloaded at different times (7 Dec - product version: 1.0.0135 &14 Dec -product version: 188.8.131.52), I used them to detect the recent Intel CPU ME/SPS/TXE vulnerability in my HP EliteDesk 800 G1 SFF that installed with a Intel i7-4770 CPU. But I got two opposite results, the earlier one detected "This system is not vulnerable" and the later detected "This system is vulnerable".
According to the Intel weblage, only Intel 6th, 7th and 8th generation Intel Core Processers are affected in this Intel® Management Engine vulnerability, my CPU is 4th generation, that means it should not be vulnerable, is my understanding correct? Please help me to clarify if my system is vulnerable or not.
The followings are the testing results:
We did incorporate some new checks for older systems starting with version 184.108.40.206 of the detection tool.
We've added this note to the description for the download:
Note: Versions of the INTEL-SA-00086 Detection Tool earlier than 220.127.116.11 did not check for CVE-2017-5711 and CVE-2017-5712. These CVE's only affect systems with Intel Active Management Technology (Intel AMT) version 8.x-10.x. Users of systems with Intel AMT 8.x-10.x are encouraged to install version 18.104.22.168, or later, to help verify the status of their system in regards to the INTEL-SA-00086 Security Advisory.
HP seems to have most of their updates posted. Check this page for the update for exact system: https://support.hp.com/us-en/document/c05843704
and the reality = ???Eeny, meeny, miny, moe
Currently NOT on Lenovo's list of affected laptops .... or should it be ?
Thank you for looking into it.Wish you less hiccups in 2018.
didn't check the version No's as per :
"NOTE : Versions of the INTEL-SA-00086 Detection Tool earlier than 22.214.171.124 did not check for CVE-2017-5711 and CVE-2017-5712. These CVEs only affect systems with Intel® Active Management Technology (Intel® AMT) version 8.x-10.x. Users of systems with Intel AMT 8.x-10.x are encouraged to install version 126.96.36.199, or later. Installing this version helps to verify the status of their system with regard to the INTEL-SA-00086 Security Advisory. You can check the version of the INTEL-SA-00086 Detection Tool by running the tool and looking for the version information in the output window."
to download the tool :
and as per Intel's own advisory:
Affected products are :
1st, 2nd, 3rd, 4th, 5th, 6th, 7th & 8th Generation Intel® Core™ Processor Family
Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
Intel® Xeon® Processor Scalable Family
Intel® Xeon® Processor W Family
Intel® Pentium® Processor G Series
Intel® Atom® C3000 Processor Family
Apollo Lake Intel® Atom Processor E3900 series
Apollo Lake Intel® Pentium™
Celeron™ G, N and J series Processors
The "old" CPU versions as well!!! And as I have in this system :
Associated CPU Generation: 3rd Generation Intel® Core™ Processor Family
Resolved Firmware version : Recommended: Intel® ME 188.8.131.5202 or higher
Currently ( as of 25 Dec 2017 ) there is NO new firmware to be found under "ThinkPad E530C" .....but found one under :
and gave it a try with following results:
can of worms
success with one and it opened another one = OBSOLETE = ???
here we go again
The Capability Licensing Service (iCLS) is distributed with the Intel® Management Engine driver (the windows driver, not to be confused with the ME firmware that is typically part of the BIOS).
Lenovo needs to update the ME driver for Windows for your model.
I will report this to folks that work directly with Lenovo, but you should also report this to Lenovo support.
FYI, the iCLS is not vulnerable to the issues identified in SA-00086. Those issues are ME firmware only issues. Updating the iCLS is not strictly required, but if you use any capabilities that rely on iCLS (an example would be video streaming services) then you will need to update the iCLS to make sure everything runs as expected.