Intel (Converged Security) Management Engine: Drivers, Firmware and Tools (2-15)

Hello Igor, thank you for your input.

I thought about exactly that but kind of ruled it out in my mind for various reasons. The hypothetical 11.6.12 branch (my repo/db goes from 11 to 13) should have been released around early December 2016, based on hotfix 11 and 13, which contradicts the statement that the vulnerability was reported in March (3 months later) and thus fixed soon after. Even 11.6.25 is from February, not March. So HP couldn’t have an early firmware fix at hotfix 12. Unless someone is lying but that’s a whole other story.

What I also thought is that HP had some sort of 11.6.11 or 11.6.12 firmware at some of their systems and thus asked Intel to apply the fix on top of these (tested by HP) firmware so that they can release it sooner than a whole new firmware validation would normally require. That does make sense. Thing is, if I remember properly, HP had some systems updated to firmware 11.6.20 or 11.6.21 which both have newer VCN than that Frankenstein 11.6.12.3xxx which means that the ME will reject the update via FWUpdate in such cases.

Then I noticed that there is also FWUpdate 11.6.12.3xxx bundled and thought that maybe it is a special version which ignores that irregularity but that got excluded as well because it’s the ME which is responsible for granting or rejecting an update so a “modded” FWUpdate wouldn’t matter at all.

Generally, no matter how I look at it, such a release is weird.

HP is special. This will look fanboyish[1], but the fact is that HP typically takes far more care of their server and corporate lines than any other vendor. They are the only ones that shipped firmware updates containing certain microcode updates (that cannot be found anywhere else) fixing security issues on old Intel processors such as the Core Duo, and Core2. Such processors were used on some of their 6-year-old corporate desktop lines, and it does look like it was HP that requested that Intel produce such updates for the older SKUs, even when they were already listed as EOL according to Intel ARK.

So, yes, you can and should expect HP corporate machines (servers/desktops) to show up with firmware you won’t find anywhere else.

[1] I don’t actually like HP hardware because it does way too much behind your back in SMM (massive headache for HPC, and low-latency + low-jitter work), and it also has a tendency of being “special” in very bad ways.

Here you can find the actual explanation of the vulnerability from embedi and their equivalent paper. Very short and to the point. Also based on a pretty stupid programming oversight from Intel’s part.


I know about "special", Apple even has their own ME SKU. I also know of (mainly) three OEMs which actually support their corporate customers long-term (at least when it comes to ME firmware which is in question) and these are Lenovo, HP and Dell. But that’s not relevant here. This firmware is bizarre, not just "rare". And it cannot actually be flashed because of that (lower VCN). So I cannot offer it here and will wait instead for the "proper" firmware releases either from HP or Lenovo based on their release schedules.

In case that wasn’t clear from the previous post of mine: I agree with Igor, this firmware is built and signed by Intel for HP based on the latter’s specific request. But that also makes it irrelevant to any other system which has something newer than 11.6.12 applied. HP rightfully doesn’t care about that. As always, any new drivers or firmware will be posted here when they benefit all of us.

If it’s not mentioned before:

9.1.41.3024 (I think it’s the 5MB Firmware) can be found on Fujitsus support pages , search Desktop => ESPRIMO E520

I’d be happy if somene found an updated 9.0 version (5MB) :slight_smile:

Intel ME 9.1 5MB Firmware v9.1.41.3024 (INTEL-SA-00075/CVE-2017-5689)

Capture.PNG



Intel ME System Tools v9.1 r2



Big thanks to lfb6/Fujitsu for the new firmware!

Here is the official Fujitsu security advisory with specific dates for updated ME firmware:

https://sp.ts.fujitsu.com/dmsp/Publicati…CD-products.pdf


Intel updated their advisory page with HP-specific firmware and note:


Capture2.PNG



Intel says 11.6.12.1201, HP releases 11.6.12.3202 [no comment]

I read the note but I would like double confirmation from the experts here.

The vulnerability in INTEL-SA-00075 does not affect systems with the 1.5MB consumer version of MEI? Am I correct?

See, for example, here and here for an alternative view.


Sadly, there’s no news of updates for the 9.0 branch? It seems to be left hanging.



Im not sure about this whole endeavour is new terrain, because the changelog of that version doesnt specify the bug fix required, and previous versions dont have changelogs on the consumer firmware.

Sure Version 11.6.21.1228 corporate fixes the issue, but I cant see that firmware anywhere either and Ive no idea if I can goto corporate FW or Back or what the limitations are.
- Fixes fail to boot issues in certain corner case scenarios.
- Resolves an issues pertaining to clearing CMOS variables.
- Resolves an issue where ME will enter recovery mode after power cycling.

Im not sure how fixes are disseminated across all releases, I have a feeling they dont. What are your thoughts on that?

In any case I have now flashed 11.6.25.1229 and the problem persists. :frowning: so the theory that this version would fix the issue is confirmed not to be the case.

I cant downgrade the ME firmware either as it wont accept the previous version as compatible with platform. Is it possible to downgrade at all? (for purposes of not breaking warranty)? (not that its worth a fart Asus and retailer not fulfilling the obligations anyway.


>FWUpdLcl64.exe -F 11.6.0.1126_CON_H.bin

Intel (R) Firmware Update Utility Version: 11.6.27.3264
Copyright (C) 2007 - 2017, Intel Corporation. All rights reserved.

Communication Mode: MEI
Checking firmware parameters…

Warning: Do not exit the process or power off the machine before the firmware update process ends.

Are you sure you want to perform a Firmware Downgrade? (Y/N): y
Sending the update image to FW for verification: [ COMPLETE ]

FW Update: [ 0% (/)] Do not Interrupt
Error 8758: The image provided is not supported by the platform.


Im somewhat lost here so any advice on either how to downgrade or how to remove the ME from recovery mode (with exception of what we discussed already would be welcome)

According to this there might be a chance that the 9.1 update could work. Unfortunately there was never an answer that it was successfully tried…



Thanks. This means that mobos without this BIOS HSWR update will be helpless against this awful exploit, unless Intel patches the 9.0.x branch.

The problem is that i have an asus b85 plus motherboard.
It support haswell refresh. ( i have it with a i5 4460)
And the ime of latest bios is 9.0.xx.xxxx

Can i update it to 9.1?


Possibly the update will work- but there are different statements or warnings if it will work or maybe not:


I updated an Gigabyte GA-Q87N (rev 1.1) with the latest but nevertheless rather old Bios F2 that has Haswell refresh- support (dated 2014/01/24 (!)) from 9.0.31.1487 to 9.1.41.3024 . It worked, the board accepted provisioning via USB- stick and the system booted thereafter without problems. Unfortunately it’s a system I’m using for testing and playing with things, so it’s just an older Linux Mint (17.3) that is working as before (but not even sound connected). And unfortunately all components (cpu, board, memory) were taken from an unstable system- so I wouldn’t know if it were old or new problems if I’d get any…

Edit: Checked a little more, sound via displayport is working fine, cpu throttling still working, can’t unfortunately read fan speed, but cpu temperatures are unchanged, monitor off and standby still working.

Is it possible to predict a little more specific what might happen if the motherboard- bios wasn’t compatible with ME 9.1?

One more older version from HP 11.0.18.3003 Corporate H, date: 04/05/2017

It is mentioned here in a more complete INTEL-SA-00075 list from Intel.

Dell has now also released a security advisory with specific dates for updated ME firmwares: http://en.community.dell.com/techcenter/…papers/20443914
Direct link to the PDF-document: http://en.community.dell.com/cfs-file/__…00075_2900_.pdf

Also, Intel has released placeholder-pages for their affected products that will be updated on the 5/12/17 with a specific schedule:
Intel NUC: https://communities.intel.com/thread/114093
Intel Compute Stick: https://communities.intel.com/thread/114092
Intel Desktop Board: https://communities.intel.com/thread/114071

Updated the notice regarding INTEL-SA-00075/CVE-2017-5689 with a new table, links to all known OEM advisories (thank you mclarke2355) and some notes on the special/OEM versions we have seen so far:

Capture.PNG



@ bronxamigo @ lfb6:

Consumer/1.5MB systems are not affected. ME 9.0 was dropped 4 years ago and fully replaced by 9.1. It was the OEMs job to update their BIOS to support it and to then update to 9.1 normally. Otherwise there can be problems with BCLK (99MHz instead of 100MHz), broken overclocking, erratic fan control etc. Intel has no reason to update the 9.0 branch. Maybe some OEM will beg them to do so because they are too bored to update the BIOS and maybe Intel will do it but I doubt it.

@ atomota:

You cannot downgrade because the new firmware has a higher Version Control Number (VCN), read what it means at the first post. Just because a changelog mentions something which resembles your problem, it doesn’t mean that it is the same. You tested the latest firmware we have and the problem persists. There is no point in asking for advice for something that we have discussed over and over again in the past. I’ve already told you what the problem most probably is and I’ve already told you your options. Please read our old discussion if you forgot. There is nothing more I can do.

@plutomaniac

Stupid question: If someone messes up their bios by a bad ME flash like Atomato did can’t they pull their cmos chip and wipe it with a cmos writing stick like a CH341A and reflash stock firmware back onto it?

First, no need to tag me here, I monitor this thread regardless. Secondly, it wasn’t atomota’s fault that his system’s ME/BIOS has issues, completely unrelated to your hypothetical problem. Speaking of hypothetical problems, explain exactly what happened as I cannot guess.



I want to try to update it to 9.1.
What packet i need to update the Ime the Intel ME System Tools v9.1 or the Intel ME System Tools v9.0?

I want to go from 9.0.31.1487 to 9.1.41.3024

Hypothetically if your ME firmware upgrade is not successful and not compatible with the current bios version as I understand you can not go backwards such that the only way to restore the firmware to the original state would be to use a flash image burning tool like the ch341a??

Thank you



Thanks for the expert knowledge. Are there anything specific to update to make older BIOS work with 9.1? I can try to make my own changes.



If it is no sucesfull i will rma the motherboard.