Community
cancel
Showing results for 
Search instead for 
Did you mean: 
JChow3
Beginner
1,031 Views

Got different result from Intel-SA-00086

I got two different versions of Intel-SA-00086 detection tool downloaded at different times (7 Dec - product version: 1.0.0135 &14 Dec -product version: 1.0.0.146), I used them to detect the recent Intel CPU ME/SPS/TXE vulnerability in my HP EliteDesk 800 G1 SFF that installed with a Intel i7-4770 CPU. But I got two opposite results, the earlier one detected "This system is not vulnerable" and the later detected "This system is vulnerable".

According to the Intel weblage, only Intel 6th, 7th and 8th generation Intel Core Processers are affected in this Intel® Management Engine vulnerability, my CPU is 4th generation, that means it should not be vulnerable, is my understanding correct? Please help me to clarify if my system is vulnerable or not.

The followings are the testing results:

0 Kudos
4 Replies
idata
Community Manager
99 Views

Hi ccjchow,

 

 

We did incorporate some new checks for older systems starting with version 1.0.0.146 of the detection tool.

 

We've added this note to the description for the download:

 

Note: Versions of the INTEL-SA-00086 Detection Tool earlier than 1.0.0.146 did not check for CVE-2017-5711 and CVE-2017-5712. These CVE's only affect systems with Intel Active Management Technology (Intel AMT) version 8.x-10.x. Users of systems with Intel AMT 8.x-10.x are encouraged to install version 1.0.0.146, or later, to help verify the status of their system in regards to the INTEL-SA-00086 Security Advisory.

 

 

HP seems to have most of their updates posted. Check this page for the update for exact system: https://support.hp.com/us-en/document/c05843704

 

ABesi1
Beginner
99 Views

and the reality = ???

Eeny, meeny, miny, moe

Currently NOT on Lenovo's list of affected laptops .... or should it be ?

 

Thank you for looking into it.Wish you less hiccups in 2018.
ABesi1
Beginner
99 Views

didn't check the version No's as per :

"NOTE : Versions of the INTEL-SA-00086 Detection Tool earlier than 1.0.0.146 did not check for CVE-2017-5711 and CVE-2017-5712. These CVEs only affect systems with Intel® Active Management Technology (Intel® AMT) version 8.x-10.x. Users of systems with Intel AMT 8.x-10.x are encouraged to install version 1.0.0.146, or later. Installing this version helps to verify the status of their system with regard to the INTEL-SA-00086 Security Advisory. You can check the version of the INTEL-SA-00086 Detection Tool by running the tool and looking for the version information in the output window."

to download the tool :

https://downloadcenter.intel.com/download/27150?v=t

and as per Intel's own advisory:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

Affected products are :

1st, 2nd, 3rd, 4th, 5th, 6th, 7th & 8th Generation Intel® Core™ Processor Family

Intel® Xeon® Processor E3-1200 v5 & v6 Product Family

Intel® Xeon® Processor Scalable Family

Intel® Xeon® Processor W Family

Intel® Pentium® Processor G Series

Intel® Atom® C3000 Processor Family

Apollo Lake Intel® Atom Processor E3900 series

Apollo Lake Intel® Pentium™

Celeron™ G, N and J series Processors

The "old" CPU versions as well!!! And as I have in this system :

Associated CPU Generation: 3rd Generation Intel® Core™ Processor Family

Resolved Firmware version : Recommended: Intel® ME 8.1.72.3002 or higher

Currently ( as of 25 Dec 2017 ) there is NO new firmware to be found under "ThinkPad E530C" .....but found one under :

https://pcsupport.lenovo.com/gb/en/downloads/DS032435

and gave it a try with following results:

can of worms

success with one and it opened another one = OBSOLETE = ???

here we go again

idata
Community Manager
99 Views

Hi Abesi,

 

 

The Capability Licensing Service (iCLS) is distributed with the Intel® Management Engine driver (the windows driver, not to be confused with the ME firmware that is typically part of the BIOS).

 

 

Lenovo needs to update the ME driver for Windows for your model.

 

 

I will report this to folks that work directly with Lenovo, but you should also report this to Lenovo support.

 

 

FYI, the iCLS is not vulnerable to the issues identified in SA-00086. Those issues are ME firmware only issues. Updating the iCLS is not strictly required, but if you use any capabilities that rely on iCLS (an example would be video streaming services) then you will need to update the iCLS to make sure everything runs as expected.
Reply