INTEL-SA-00086 Safety recommendation for Intel ME, PLC and TXE

From Thomas-Krenn-Wiki
(Redirected from INTEL-SA-00086)
Jump to: navigation, search

On 20 November 2017 (American time), Intel published the Security Advisory INTEL-SA-00086 for systems with Intel Management Engine (ME), Intel Server Platform Services (SPS) and Intel Trusted Execution Engine (TXE).[1] In this document Intel warns against possible privilege escalations (rights extensions)[2] and buffer overflows.[3] In this article, you will learn which Thomas-Krenn systems are affected and which BIOS updates fix the security vulnerabilities.

Affected systems

According to Intel systems with Intel ME 11.x, SPS 4.0, and TXE 3.0 are affected by the security vulnerabilities. The following table shows an overview of affected systems from Thomas-Krenn and contains links to the corresponding BIOS or ME updates, which are used to close the security vulnerabilities:

CPU generation Systems from Thomas-Krenn Status BIOS update Download-Link BIOS update
6th/7th/8th Gen Intel Core Family LES network+ (test report) available BIOS BF551TK2 (test report BIOS BF551TK2)
PCs with ASUS H170M-Plus motherboard (test report) ME update available ME update 1023 (test report ME update 1023)
PCs with ASUS H270M-Plus motherboard (test report) available
ME update available
BIOS 0809 and ME update 11.8.50.339 (test report ME update 11.8.50.339)
Xeon E3-1200 v5/v6 Server with Supermicro X11SSH-F motherboard available BIOS 2.0c (test report BIOS 2.0c)
Server with Supermicro X11SSH-LN4F motherboard available BIOS 2.0c (test report BIOS 2.0c)
Server with Supermicro X11SSH-TF motherboard available BIOS 2.0b (test report BIOS 2.0b)
Server with ASUS P10S-I motherboard (test report) available BIOS 4001 (test report BIOS 4001)
Server with ASUS P10S-M motherboard (test report) available BIOS 4001 (test report BIOS 4001)
Xeon Scalable Family Server with Supermicro X11DPi-N motherboard available BIOS 2.0
Server with Supermicro X11DPi-NT motherboard (test report) available BIOS 2.0 (test report BIOS 2.0)
Xeon W Family (No systems in Thomas-Krenn portfolio) - -
Atom C3000 Family (Denverton)
Apollo Lake Atom/Pentium/Celeron Family

In order to select the right BIOS image for your server, we recommend that you download the respective BIOS image from the My Product Overview section using the serial number of your server. Alternatively, you can also query the name of your motherboard (see the article Read out mainboard name). If you have any questions, please contact our support team.

Not affected are

CPU generations released prior to the Skylake generation are generally not affected by the INTEL-SA00086 safety advisory (see also Intel Microarchitecture Overview).

Not affected are for example:

  • LES v2 (test report)
  • LES v3 (test report)
  • LES Network (test report test report)
  • Server with Supermicro X10SLH-F motherboard (tested with Intel Celeron G1820T CPU) (test report)
  • Server with Supermicro X10DRi motherboard (tested with Intel Xeon E5-2623 v4 CPU) (test report)
  • Server with ASUS P9D-MV motherboard (tested with Intel Celeron G1820T CPU) (test report)

References

  1. Intel Q3’17 ME 11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update (security-center.intel.com)
  2. Privilege escalation (en.wikipedia.org)
  3. Buffer overflow (en.wikipedia.org)

Further information

Changelog

  • Version 1.0, 21.11.2017: Initial version with Intel Security Advisory information
  • Version 1.1, 21.11.2017: Information about the Supermicro X11SSH-LN4F motherboard and LES Network added
  • Version 1.2, 22.11.2017: Information about the Supermicro X10DRi motherboard added
  • Version 1.3, 22.11.2017: Information about the Supermicro X11SSH-F and X11DPi-NT motherboard added, first patched BIOS versions in review
  • Version 1.4, 23.11.2017: Information about the ASUS P10S-I motherboard added
  • Version 2.0, 24.11.2017: BIOS updates for Supermicro X11SSH-F, X11SSH-LN4F and X11SSH-TF available, links added
  • Version 2.1, 27.11.2017: Information about the P10S-M motherboard added
  • Version 2.2, 27.11.2017: Information about the P9D-MV motherboard added
  • Version 2.3, 28.11.2017: Information converted into a clearly arranged table, information about the ASUS H270M-Plus motherboard added, link to blog post by rapid7 added
  • Version 2.4, 28.11.2017: Information about the ASUS H170M-Plus motherboard added, BIOS update for ASUS P10S-M is currently tested at Thomas-Krenn
  • Version 2.5, 28.11.2017: BIOS update for the ASUS P10S-I motherboard available
  • Version 2.6, 29.11.2017: BIOS update for the ASUS P10S-M motherboard available
  • Version 2.7, 04.12.2017: Management Engine update for the ASUS H170M-Plus motherboard available
  • Version 2.7.1, 04.12.2017: Download information on the basis of the serial number and the motherboard name added.
  • Version 2.8, 06.12.2017: BIOS update for LES network+ available
  • Version 2.9, 06.12.2017: BIOS update and Management Engine update for ASUS H170M-Plus available
  • Version 3.0, 15.12.2017: BIOS update for Supermicro X11DPi-N and X11DPi-NT available
  • Version 3.1, 20.12.2017: Article completed, formulation adapted
  • Version 3.2, 28.12.2017: Link to Supermicro's site about INTEL-SA-00086 added


Foto Werner Fischer.jpg

Author: Werner Fischer

Werner Fischer, working in the Web Operations & Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.



Author: Thomas Niedermeier

Related articles

Integrated IPMI Firewall of Supermicro Motherboards
Libupnp Buffer Overflow in Motherboards with Nuvoton Chips with IPMI WPCM450R Software
Request SNMP Information per MIB Browser