wikiINTEL-SA-00086 Safety recommendation for Intel ME, PLC and TXE
On 20 November 2017 (American time), Intel published the Security Advisory INTEL-SA-00086 for systems with Intel Management Engine (ME), Intel Server Platform Services (SPS) and Intel Trusted Execution Engine (TXE).[1] In this document Intel warns against possible privilege escalations (rights extensions)[2] and buffer overflows.[3] In this article, you will learn which Thomas-Krenn systems are affected and which BIOS updates fix the security vulnerabilities.
Affected systems
According to Intel systems with Intel ME 11.x, SPS 4.0, and TXE 3.0 are affected by the security vulnerabilities. The following table shows an overview of affected systems from Thomas-Krenn and contains links to the corresponding BIOS or ME updates, which are used to close the security vulnerabilities:
| CPU generation | Systems from Thomas-Krenn | Status BIOS update | Download-Link BIOS update |
|---|---|---|---|
| 6th/7th/8th Gen Intel Core Family | LES network+ (test report) | available | BIOS BF551TK2 (test report BIOS BF551TK2) |
| PCs with ASUS H170M-Plus motherboard (test report) | ME update available | ME update 1023 (test report ME update 1023) | |
| PCs with ASUS H270M-Plus motherboard (test report) | available ME update available |
BIOS 0809 and ME update 11.8.50.339 (test report ME update 11.8.50.339) | |
| Xeon E3-1200 v5/v6 | Server with Supermicro X11SSH-F motherboard | available | BIOS 2.0c (test report BIOS 2.0c) |
| Server with Supermicro X11SSH-LN4F motherboard | available | BIOS 2.0c (test report BIOS 2.0c) | |
| Server with Supermicro X11SSH-TF motherboard | available | BIOS 2.0b (test report BIOS 2.0b) | |
| Server with ASUS P10S-I motherboard (test report) | available | BIOS 4001 (test report BIOS 4001) | |
| Server with ASUS P10S-M motherboard (test report) | available | BIOS 4001 (test report BIOS 4001) | |
| Xeon Scalable Family | Server with Supermicro X11DPi-N motherboard | available | BIOS 2.0 |
| Server with Supermicro X11DPi-NT motherboard (test report) | available | BIOS 2.0 (test report BIOS 2.0) | |
| Xeon W Family | (No systems in Thomas-Krenn portfolio) | - | - |
| Atom C3000 Family (Denverton) | |||
| Apollo Lake Atom/Pentium/Celeron Family |
In order to select the right BIOS image for your server, we recommend that you download the respective BIOS image from the My Product Overview section using the serial number of your server. Alternatively, you can also query the name of your motherboard (see the article Read out mainboard name). If you have any questions, please contact our support team.
Not affected are
CPU generations released prior to the Skylake generation are generally not affected by the INTEL-SA00086 safety advisory (see also Intel Microarchitecture Overview).
Not affected are for example:
- LES v2 (test report)
- LES v3 (test report)
- LES Network (test report test report)
- Server with Supermicro X10SLH-F motherboard (tested with Intel Celeron G1820T CPU) (test report)
- Server with Supermicro X10DRi motherboard (tested with Intel Xeon E5-2623 v4 CPU) (test report)
- Server with ASUS P9D-MV motherboard (tested with Intel Celeron G1820T CPU) (test report)
References
- ↑ Intel Q3’17 ME 11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update (security-center.intel.com)
- ↑ Privilege escalation (en.wikipedia.org)
- ↑ Buffer overflow (en.wikipedia.org)
Further information
- Intel stopft neue Sicherheitslücken der Management Engine (SA-00086) (heise.de, 21.11.2017)
- INTEL-SA-00086 Security Bulletin for Intel Management Engine (ME) and Advanced Management Technology (AMT) Vulnerabilities: What You Need To Know (blog.rapid7.com, 21.11.2017)
- CB-K17/2012 (bsi.bund.de, 22.11.2017)
- Intel-Computer: BSI warnt vor Sicherheitslücke, Updates teils spät (heise.de, 23.11.2017)
- Intel Security Vulnerabilities Regarding Intel® Management Engine (ME), Intel® Server Platform Services (SPS), and Intel® Trusted Execution Engine (TXE) (www.supermicro.com)
Changelog
- Version 1.0, 21.11.2017: Initial version with Intel Security Advisory information
- Version 1.1, 21.11.2017: Information about the Supermicro X11SSH-LN4F motherboard and LES Network added
- Version 1.2, 22.11.2017: Information about the Supermicro X10DRi motherboard added
- Version 1.3, 22.11.2017: Information about the Supermicro X11SSH-F and X11DPi-NT motherboard added, first patched BIOS versions in review
- Version 1.4, 23.11.2017: Information about the ASUS P10S-I motherboard added
- Version 2.0, 24.11.2017: BIOS updates for Supermicro X11SSH-F, X11SSH-LN4F and X11SSH-TF available, links added
- Version 2.1, 27.11.2017: Information about the P10S-M motherboard added
- Version 2.2, 27.11.2017: Information about the P9D-MV motherboard added
- Version 2.3, 28.11.2017: Information converted into a clearly arranged table, information about the ASUS H270M-Plus motherboard added, link to blog post by rapid7 added
- Version 2.4, 28.11.2017: Information about the ASUS H170M-Plus motherboard added, BIOS update for ASUS P10S-M is currently tested at Thomas-Krenn
- Version 2.5, 28.11.2017: BIOS update for the ASUS P10S-I motherboard available
- Version 2.6, 29.11.2017: BIOS update for the ASUS P10S-M motherboard available
- Version 2.7, 04.12.2017: Management Engine update for the ASUS H170M-Plus motherboard available
- Version 2.7.1, 04.12.2017: Download information on the basis of the serial number and the motherboard name added.
- Version 2.8, 06.12.2017: BIOS update for LES network+ available
- Version 2.9, 06.12.2017: BIOS update and Management Engine update for ASUS H170M-Plus available
- Version 3.0, 15.12.2017: BIOS update for Supermicro X11DPi-N and X11DPi-NT available
- Version 3.1, 20.12.2017: Article completed, formulation adapted
- Version 3.2, 28.12.2017: Link to Supermicro's site about INTEL-SA-00086 added
 |
Author: Werner Fischer Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.
|
 |
Author: Thomas Niedermeier Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.
|
