Processors
Intel® Processors, Tools, and Utilities
14503 Discussions

Got different result from Intel-SA-00086

JChow3
Beginner
‎12-13-2017 11:57 PM
1,753 Views

I got two different versions of Intel-SA-00086 detection tool downloaded at different times (7 Dec - product version: 1.0.0135 &14 Dec -product version: 1.0.0.146), I used them to detect the recent Intel CPU ME/SPS/TXE vulnerability in my HP EliteDesk 800 G1 SFF that installed with a Intel i7-4770 CPU. But I got two opposite results, the earlier one detected "This system is not vulnerable" and the later detected "This system is vulnerable".

According to the Intel weblage, only Intel 6th, 7th and 8th generation Intel Core Processers are affected in this Intel® Management Engine vulnerability, my CPU is 4th generation, that means it should not be vulnerable, is my understanding correct? Please help me to clarify if my system is vulnerable or not.

The followings are the testing results:

Preview file
88 KB
0 Kudos

Link Copied

4 Replies
idata
Employee
‎12-14-2017 01:31 PM
821 Views

Hi ccjchow,

 

 

We did incorporate some new checks for older systems starting with version 1.0.0.146 of the detection tool.

 

We've added this note to the description for the download:

 

Note: Versions of the INTEL-SA-00086 Detection Tool earlier than 1.0.0.146 did not check for CVE-2017-5711 and CVE-2017-5712. These CVE's only affect systems with Intel Active Management Technology (Intel AMT) version 8.x-10.x. Users of systems with Intel AMT 8.x-10.x are encouraged to install version 1.0.0.146, or later, to help verify the status of their system in regards to the INTEL-SA-00086 Security Advisory.

 

 

HP seems to have most of their updates posted. Check this page for the update for exact system: https://support.hp.com/us-en/document/c05843704

 

0 Kudos
Copy link
ABesi1
Beginner
‎12-25-2017 09:34 AM
821 Views
In response to idata

and the reality = ???

Eeny, meeny, miny, moe

Currently NOT on Lenovo's list of affected laptops .... or should it be ?

 

Thank you for looking into it.Wish you less hiccups in 2018.
In response to idata
Preview file
158 KB
0 Kudos
Copy link
ABesi1
Beginner
‎12-25-2017 11:55 AM
821 Views
In response to ABesi1

didn't check the version No's as per :

"NOTE : Versions of the INTEL-SA-00086 Detection Tool earlier than 1.0.0.146 did not check for CVE-2017-5711 and CVE-2017-5712. These CVEs only affect systems with Intel® Active Management Technology (Intel® AMT) version 8.x-10.x. Users of systems with Intel AMT 8.x-10.x are encouraged to install version 1.0.0.146, or later. Installing this version helps to verify the status of their system with regard to the INTEL-SA-00086 Security Advisory. You can check the version of the INTEL-SA-00086 Detection Tool by running the tool and looking for the version information in the output window."

to download the tool :

https://downloadcenter.intel.com/download/27150?v=t

and as per Intel's own advisory:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

Affected products are :

1st, 2nd, 3rd, 4th, 5th, 6th, 7th & 8th Generation Intel® Core™ Processor Family

Intel® Xeon® Processor E3-1200 v5 & v6 Product Family

Intel® Xeon® Processor Scalable Family

Intel® Xeon® Processor W Family

Intel® Pentium® Processor G Series

Intel® Atom® C3000 Processor Family

Apollo Lake Intel® Atom Processor E3900 series

Apollo Lake Intel® Pentium™

Celeron™ G, N and J series Processors

The "old" CPU versions as well!!! And as I have in this system :

Associated CPU Generation: 3rd Generation Intel® Core™ Processor Family

Resolved Firmware version : Recommended: Intel® ME 8.1.72.3002 or higher

Currently ( as of 25 Dec 2017 ) there is NO new firmware to be found under "ThinkPad E530C" .....but found one under :

https://pcsupport.lenovo.com/gb/en/downloads/DS032435

and gave it a try with following results:

can of worms

success with one and it opened another one = OBSOLETE = ???

here we go again

In response to ABesi1
Preview file
89 KB
0 Kudos
Copy link
idata
Employee
‎12-26-2017 10:27 AM
821 Views
In response to ABesi1

Hi Abesi,

 

 

The Capability Licensing Service (iCLS) is distributed with the Intel® Management Engine driver (the windows driver, not to be confused with the ME firmware that is typically part of the BIOS).

 

 

Lenovo needs to update the ME driver for Windows for your model.

 

 

I will report this to folks that work directly with Lenovo, but you should also report this to Lenovo support.

 

 

FYI, the iCLS is not vulnerable to the issues identified in SA-00086. Those issues are ME firmware only issues. Updating the iCLS is not strictly required, but if you use any capabilities that rely on iCLS (an example would be video streaming services) then you will need to update the iCLS to make sure everything runs as expected.
In response to ABesi1
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.