- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can anyone tell me what the SA-00086 Intel Detection tool actually does ?
Does it ?
1) Only test the processor to see if it is one of the many processors on a long listing of processors which are vulnerable to the Meltdown and Specture threats.
2) Show the actual (fixed/mitgated or not fixed/not-mitigated) status of the detected processor to the Meltdown and Spectre threats.
I have been unable to get a clear answer to this question from either my computer manufacturer, Dell, or from Intel.
I have applied all currently available kernel updates to my operating system (Linux Mint) and the detection tool still says that my processor is VULNERABLE.
Thanks.
- Tags:
- Tools
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It does test for vulnerabilities found in the Intel Management Engine and is a different/additional security issue to the later published CPU architecture related Spectre or Meltdown vulnerabilities.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Win7ine:
Can you refer me to your source for the different/additional security issues.
I read the bulletin related to SA-00086, and unless I missed it, I saw no references to anything other than Meltdown and Spectre.
If it is for different/additional security issues, is there a detection test which is strictly for the Meltdown and Spectre issues ?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are the links:
https://www.intel.com/content/www/us/en/support/articles/000025619/software.html Intel® Management Engine Critical Firmware Update (Intel-SA-00086)
https://nvd.nist.gov/vuln/detail/CVE-2017-5754 NVD - CVE-2017-5754
https://nvd.nist.gov/vuln/detail/CVE-2017-5753 NVD - CVE-2017-5753
https://nvd.nist.gov/vuln/detail/CVE-2017-5711 NVD - CVE-2017-5711
https://nvd.nist.gov/vuln/detail/CVE-2017-5712 NVD - CVE-2017-5712
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are running Windows, yes there is a MS Powershell Script which will test for Spectre and Meltdown.
Temporarily set PowerShell script execution policy
PS> Set-ExecutionPolicy Unrestricted -Scope Process -Force
Install the PowerShell module
PS> Install-Module SpeculationControl -Force
Run the PowerShell module to validate protections are enabled
PS> Get-SpeculationControlSettings
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am NOT using MS windows.
I am using Linux Mint version 18.3.
Isn't the utility (Linux version) listed on the SA-00086 bulletin supposed to be used to test for the Meltdown and Spectre vulnerabilities ?
According to my best guess reading of the bulletin, what it is referring to are the Meltdown and Spectre vulnerabilities even though it
does not specifically call them by name.
I just got thru applying today's Intel microcode update 3.20180108 thru Linux Mint update manager and after doing so and rebooting
the SA-00086 Linux Intel Detection Tool STILL says that my processor is VULNERABLE. I looked in Driver Manager and yes, the
microcode is showing the 2018 version.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NO!
The SA-00086 bulletin refers to the vulnerability identified in the Intel Management Engine. To address this vulnerability, you will need a BIOS update that provides the new Intel Management Engine firmware.
It is the SA-00088 bulletin that refers to the Meltdown and Spectre vulnerabilities in the processors. To address these vulnerabilities, you need a BIOS update that provides the latest microcode for your processor as well as the latest OS updates for these vulnerabilities.
BIOS updates come from your board manufacturer; they DO NOT come from Intel. Yes, it's true that Linux can also install the latest microcode, but the absolute best place for this to happen is during BIOS POST.
...S
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there an Intel processor detection tool for SA-00088 ?
I have been to Intel's download site (also Googled it) and searched for SA-00088 processor detection tool and
I find nothing - am I missing it ?
So far, I have not been able to get an answer from Dell as to whether a BIOS will be offered to fix these
problems, does that likely mean that I am going to be up-the-creek-without-a-paddle ? I have the latest
BIOS version A17 - June 2017 vintage already installed. Yes, I know that these are more recently discovered
problems.
I I have applied Linux Mint kernel updates, applied today's Intel microcode update, does this likely mean
that I have the problems mitigated - but how to know for sure if there is no detection tool ?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If there is a tool, you will find it through here: https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html Facts about The New Security Research Findings and Intel Products.
As for BIOS updates, it may take the manufacturers some time to make the updates available. Patience Grasshopper!
...S
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the link but I had pretty much went over that one and I can see no info
regarding a detection tool there.
And had already read the computer listing and particular Dell model's listing and if
that is a comprehensive listing, then it is like I have suggested that I (and many others)
are going to be SOL.
It would really be nice if Intel could plainly post a detection tool for these problems so
they one would not have to search all over creation to try to find it.
Bad thing is that there is possibility that applying the Linux kernel updates and the
microcode update MAY have fixed the problems but with no way to know for sure
suppose I will just have to cross my fingers and hope that hackers are so busy with
other things that they don't have time to fool with my little old computer.
Dell has already sort of indicated to me that they have no real great concerns as
to if, when or whether a BIOS is offered to fix this for a Dell Optiplex model 980, if
you do not purchase a new computer from these companies ever year or two, it is
no skin off their teeth, quite to the contrary this may be just more money in their
pockets a year or two from now when computer sales go up. I know that MS$
users may need to purchase a new computer every year or so but that is not
true for Linux users.
I will keep looking for Intel detection tool but at this point I have very little confidence
that I am going to find one.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, I think I finally found it. Boy, that was like hunting hen's teeth !!!
However, it does not appear to me that it has much relationship to Intel.
Found it at this link due to a post that someone made on Linux Mint forums:
https://github.com/speed47/spectre-meltdown-checker/blob/master/README.md spectre-meltdown-checker/README.md at master · speed47/spectre-meltdown-checker · GitHub
It says that my Meltdown has been mitigated but that the Spectre is still a problem. Which is exactly
what someone had suggested on Linux Mint forums earlier.
Hope the other owners of old no longer under warranty systems might happen to find this post
because both Intel and Dell were of zero help in finding this.
Now to wait for a fix for Spectre.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now back to work.
Now that the Meltdown and Spectre are solved or at least partly so, need to find out
what to do about vulnerability revealed by Intel detection tool for SA-00086 - Intel Management
Engine.
Is the problem with Intel Management Engine the fact that the version of this needs to be
updated, i.e. a BIOS update or is it a problem with the way the IME is currently configured or is the
problem that the IME just needs to be DISABLED instead of being enabled ?
Also, am I understanding correctly that the purpose of this IME is used by system administrators
to allow themselves to remotely control the client machines on the network ?
Thanks.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page