Intel CPU vulnerabilities - both Windows and Linux

Discuss various technical topics not related to Mozilla.
Post Reply
User avatar
Reflective
Posts: 2283
Joined: February 15th, 2007, 11:13 am

Intel CPU vulnerabilities - both Windows and Linux

Post by Reflective »

Intel has identified a number of security vulnerabilities in its Management Engine (ME) and in Server Platform Services (SPS) which can be exploited to execute arbitrary code on the system. The vulnerability affects both Windows and Linux.

Since the vulnerability concerns the firmware it's up to manufacturers to address the issue by releasing a patch. Only Lenovo has been forthcoming so far and a firmware update can be downloaded from their site: https://support.lenovo.com/nl/en/produc ... /len-17297

The following CPUs are vulnerable to the exploit:
  • 6th, 7th, and 8th Generation Intel Core
  • Intel Xeon Processor E3-1200 v5 and v6
  • Intel Xeon Processor Scalable
  • Intel Xeon Processor W
  • Intel Atom C3000 Processor
  • Apollo Lake Intel Atom Processor E3900 series
  • Apollo Lake Intel Pentium
  • Celeron N and J series Processors
Intel has made a tool available to determine whether your machine is vulnerable to the exploit: https://downloadcenter.intel.com/download/27150

After extracting the zip file open the subfolder called DiscoveryToolGUI and run the exe file called Intel-SA-00086-GUI.exe (The exe may differ for the Linux version).

I ran it on my own machine and it only takes about 10 seconds to complete. In my particular case the result was negative due most likely to my Haswell CPU which is 5th generation, but the ghacks.net site owner, Martin Brinkman's own system is. There's an image of the scan result on his machine here: https://www.ghacks.net/2017/11/22/find- ... abilities/
User avatar
Grumpus
Posts: 13236
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Re: Intel CPU vulnerabilities - both Windows and Linux

Post by Grumpus »

This is the link for the Github Linux Detection and Mitigation tools
There's also this from the earlier article Neutralize ME on Sandy Bridge and Ivybridge
Original discovery article
This from the article:
Matthew Garrett wrote:Merely having a "vPRO" CPU and chipset isn't sufficient - your system vendor also needs to have licensed the AMT code. Under Linux, if lspci doesn't show a communication controller with "MEI" or "HECI" in the description, AMT isn't running and you're safe. If it does show an MEI controller, that still doesn't mean you're vulnerable - AMT may still not be provisioned. If you reboot you should see a brief firmware splash mentioning the ME. Hitting ctrl+p at this point should get you into a menu which should let you disable AMT.
Earlier Register Article
Doesn't matter what you say, it's wrong for a toaster to walk around the house and talk to you
User avatar
Grumpus
Posts: 13236
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Re: Intel CPU vulnerabilities - both Windows and Linux

Post by Grumpus »

How about a little update on this Intel Management Engine
Doesn't matter what you say, it's wrong for a toaster to walk around the house and talk to you
Post Reply