Processors
Intel® Processors, Tools, and Utilities
14403 Discussions

Intel Management Engine vulnerability - which CPUs are really affected?

JRepp
Beginner
1,897 Views

As stated on the Intel web page linked below, only 6th, 7th and 8th generation of the Intel Core processor families are affected by the Intel Management Engine vulnerability:

https://www.intel.com/content/www/us/en/support/articles/000025619/software.html https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

However, if I run the utility provided by Intel to check for the vulnerability on a CPU from the 5th generation Intel Core processor family, the utility returns that the system *IS VULNERABLE*. So, the question is, do I need to take action because of this status or am I "home free" due to the fact that the CPU isn't of the 6th, 7th or 8th generation? Or, should the listed CPU families only work as "guidance" and that it might affect even 5th (or other) generations of notebook/desktop CPUs as well?

If 5th generation CPUs is not considered vulnerable (even if having Intel ME versions that is within the span of vulnerable versions), why has HP released fixes for models that is based on 5th gen CPUs (for example the HP Elitebook 820 G2)? Is this due to the fact that the support web page linked below also contains a fix for the disclosed WPA2 vulnerability? I.e. the downloadable fix for the 5th gen models mentioned is not in any way related to the Intel ME vulnerability but only the WPA2 vulnerability for certain computer models with older CPUs than the 6th generation?

https://support.hp.com/us-en/document/c05843704 https://support.hp.com/us-en/document/c05843704

The information that can be found is not enough to make a conclusion that is beyond doubt about whether a CPU is vulnerable or not given the fact that the Intel ME "vulnerability scan" utility reports a vulnerable system even on CPU types not listed as vulnerable. It doesn't make sense and there is some kind of limping logic surrounding it all. It could be more clear and obvious so that people make decisions based on the correct knowledge and not potentially leaving systems vulnerable after reading the information provided by Intel and come to the conclusion that "we don't have those CPU types mentioned, so we are all safe…" It is crucial to be absolutely sure about what systems are affected or not in order to take action and not just leaving systems vulnerable believing that they are OK.

0 Kudos
1 Solution
KenF_Intel
Moderator
784 Views

Hi Jokre,

We are working to clarify the information in the SA-00086 security advisory. It should be updated in the next 3-5 days (or sooner).

Trust the detection tool. If it says your system is vulnerable then you should update the BIOS or Firmware from HP.

View solution in original post

2 Replies
n_scott_pearson
Super User
784 Views

Jonas,

What is important is the version of the Management Engine firmware that the system is running. As the document states, "Intel® Management Engine (Intel® ME 8.x-10.x and 11.0.0-11.7.0), Intel® Trusted Execution Engine (Intel® TXE 3.0), and Intel® Server Platform Services (Intel® SPS 4.0)" are all affected. As it turns out, when I checked my Intel NUC systems that utilize 3rd, 4th and 5th generation Core processors, they were *all* running affected versions of the ME firmware. I also confirmed (see here: https://www.intel.com/content/www/us/en/support/articles/000026230/mini-pcs.html Intel-SA-00086 for Intel® NUC, Intel® Compute Stick, and Intel® Compute Card) that Intel has released updated BIOSs for all of these NUCs to install the appropriate firmware update.

Bottom line, the statement in the advisory is misleading! Even systems with 3rd generation Core processors can have the vulnerability and will need a fix. I hope that the pinheads at the various board manufacturers realize these systems are affected and are preparing updated BIOS/firmware packages for them.

...S

KenF_Intel
Moderator
785 Views

Hi Jokre,

We are working to clarify the information in the SA-00086 security advisory. It should be updated in the next 3-5 days (or sooner).

Trust the detection tool. If it says your system is vulnerable then you should update the BIOS or Firmware from HP.

Reply