back to article To fix Intel's firmware fiasco, wait for Christmas Eve or 2018

The world's top PC-makers have started to ship fixes for the multiple flaws in Intel's CPUs, but plenty won't land until 2018. As Intel admitted on Monday, multiple flaws in its Management Engine, Server Platform Services, and Trusted Execution Engine make it possible to run code that operating systems – and therefore …

  1. DougS Silver badge

    I wonder about motherboards

    I have an Asrock motherboard with a vulnerable Skylake in it, but the latest BIOS is from last November. I somehow doubt I will be getting an updated version from them. Not a big deal since it is on my home network and isn't a laptop, but someone using it say in a school would have some real concerns.

    I assume my HP laptop will get the fix since it is only a year old, and that's the one I'm really more concerned with.

    1. Bryn Jones

      Re: I wonder about motherboards

      The management engine is a separate processor embedded in the chipset, and typically has its own separate firmware which is distinct from the bios. It doesn’t even need the main CPU to be functional to give access to the machine.

      1. This post has been deleted by its author

        1. Maventi

          Re: I wonder about motherboards

          > No - no it isn't. Not for Intel at least. It's part of your CPU!

          Incorrect - it is in fact part of the chipset rather than the CPU. https://en.wikipedia.org/wiki/Intel_Management_Engine#Design

          Still has access to all the things though.

          1. Anonymous Coward
            Anonymous Coward

            Re: I wonder about motherboards

            "Incorrect - it is in fact part of the chipset rather than the CPU. "

            Perhaps someone would care to clarify these snippets then (from Intel, not from Wikipedia):

            https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

            (Intel® Management Engine Critical Firmware Update (Intel SA-00086), 22 Nov 17)

            Mentions various vulnerable Intel product families including the Intel Atom C3000 SoC family.

            Do readers (especially Maventi) know what SoC means? ("System on chip", for those who've not come across it). Basically, "just add DRAM" (plus a few other odds and ends depending on application). Something that in x86-speak doesn't have the classical Intel-x86 Northbridge, Southbridge, etc chipset external to the package where the "CPU" lives.

            So, in an Intel C3000 SoC product, where is that "chipset"? Is it perhaps in the same package as the CPU? Is Maventi proposing a distinction without a difference?

            Here's a hint from Intel:

            "The Innovation Engine (IE) is an embedded core within the SoC. It is similar to Intel® Management Engine (Intel® ME), with some privilege and I/O differences. The IE is designed to assist original equipment manufacturers (OEMs) in providing a more secure form of the Intel ME. IE code is cryptographically bound to the OEM, and code that is not authenticated by the OEM will not load. The system can operate normally without having to activate IE because it is an optional feature." (etc)

            from

            https://software.intel.com/en-us/articles/intel-atom-processor-c3000-family-technical-overview

            Clarification very welcome. Have a great weekend.

    2. Adam 52 Silver badge

      Re: I wonder about motherboards

      I reckon that, in this case, the PC/motherboard/whatever is clearly not fit for purpose - that purpose being to run software with some degree of trust that it'll do what it's supposed to.

      Since, at the moment, we buy physical CPUs and motherboards (and don't license them) then I don't see why it shouldn't be perfectly reasonable to return them for repair or replacement.

      Proving that the CPU was faulty at manufacturer should be easy so the usual burden on the consumer after six months shouldn't be a problem.

      1. Neil Barnes Silver badge
        Devil

        Re: I wonder about motherboards

        >> to run software with some degree of trust

        Ahahahah! You looked at a software licence recently?

        1. Doctor Syntax Silver badge

          Re: I wonder about motherboards

          "You looked at a software licence recently?"

          But the CPU is sold as hardware.

  2. Ken Hagan Gold badge

    Who/What does the "secure" in Secure Boot refer to?

    This situation smacks of the Android universe, where the author of the offending software has to rely for patch incorporation on the hardware vendor who in turn has to rely for deployment on phone operators. It leads to woeful security in practice because patches are never deployed and everyone blames everyone else. In the PC case, I'd have thought that the hardware vendor was Intel itself (or, worst case, a handful of motherboard UEFI BIOS providers) and there simply is no equivalent to the "phone operator", so ...

    What have the PC vendors actually done to insert themselves into the critical path?

    How could the system be changed fixed to remove them?

    1. Anonymous Coward
      Anonymous Coward

      Re: Who/What does the "secure" in Secure Boot refer to?

      It looks that in this case the update needs to be signed or something alike by each manufacturer, not Intel, thereby the situation is not very different from mobes. And it it's like other CPU fixes it may need to be delivered through the BIOS/UEFI, again something the manufacturers has to release.

      1. Dan 55 Silver badge

        Re: Who/What does the "secure" in Secure Boot refer to?

        Google are trying to remove it (or reduce it down to something harmless). They want the data, nobody else.

    2. Anonymous Coward
      Anonymous Coward

      Re: Who/What does the "secure" in Secure Boot refer to?

      It refers to the fact that Big Content (movie companies, rights holders, etc) want these systems to be able to keep Big Content's oh so valuable content secure against any unplanned revenue reduction. Nothing to do with keeping systems secure for the benefit of the system's owners/operators/users.

      It's very simlar to the "trusted" in Trusted Computing Platform.

      :(

    3. phuzz Silver badge
      Facepalm

      Re: Who/What does the "secure" in Secure Boot refer to?

      The Intel Management Engine doesn't have anything to do with Secure Boot.

      Secure Boot checks that the bootloader has been signed, so if it's been patched by malware, your computer won't boot (which is probably better than letting it boot and encrypt all your files).

      It's mainly used to secure Windows, but can also be used by various Linux distributions. As far as I know there's no security pisses with it. It's available on both AMD and Intel CPUs (it's a function of the motherboard, not CPU).

      Intel's Management Engine is effectively like an 'integrated lights out' controller (as found in most servers), but as part of the CPU, and so included in all of their products. The idea was to make it easier to manage large groups of PCs centrally (eg you could set them to all turn on overnight to install updates without affecting your users). It has several flaws which would allow an attacker with network access to a machine to do pretty much what every they want to it.

      I say again, Secure Boot is nothing to do with Intel's Management Engine.

      1. TheVogon Silver badge

        Re: Who/What does the "secure" in Secure Boot refer to?

        "Secure Boot checks that the bootloader has been signed, so if it's been patched by malware, your computer won't boot (which is probably better than letting it boot and encrypt all your files)."

        When combined with say Bitlocker and DeviceGuard, it protects the OS and file system from the majority of direct access type attacks. Secure Boot is trust the first part of that chain of trust.

      2. Dan 55 Silver badge

        Re: Who/What does the "secure" in Secure Boot refer to?

        Secure Boot is in the UEFI which is another pile of festering exploits waiting to happen.

        UEFI is in ring -2, ME is in ring -3. Both run while the OS is running and thinks it's in charge of things.

        1. hmv

          Re: Who/What does the "secure" in Secure Boot refer to?

          UEFI is ring 0 as is the kernel.

          Hypervisor is ring -1 (if there is one)

          SMM is ring -2.

          ME is hanging off the side of the main processor; it's not a ring at all.

      3. Missing Semicolon Silver badge
        Happy

        Re: Who/What does the "secure" in Secure Boot refer to?

        If that's so, can I have an install binary that just formats the flash ROM in the Management Engine and leaves it at that?

      4. Ken Hagan Gold badge

        Re: Who/What does the "secure" in Secure Boot refer to?

        @phuzz: Thanks for the clarification, but I'm still puzzled. I mentioned Secure Boot simply because that's the only layer I'm aware of between the OS and the IME. Since the owners of those layers (Microsoft and Intel) appear to be unable to do the job without additional help, it did seem like an intermediate layer might be relevant. I'll have another go at framing my questions and perhaps you or someone else can clarify things.

        Who writes the patch? Is it just Intel or do they just explain what needs to change and leave it up to someone downstream? Does that patch depend on the CPU, the chipset, anything else more vendor-specific?

        Who distributes the patch? It clearly isn't something that Microsoft can distribute via Windows Update or else Intel could just give them the code. There seems to be a requirement for someone in the middle to be involved EITHER in the authorship (bringing vendor-specific details to the code) or the distribution channel (providing vendor-specific authentication for the code).

        How is the patch applied? Does the patch program run instructions at the (regular) OS level that automagically cause the patch to be uploaded to the IME, or does it have to ask an intermediate (such as the UEFI layer) to help with delivery?

        An finally, perhaps a little tongue in cheek, if the vulnerability lets someone hi-jack the IME, why can't Intel use the vulnerability to produce a "universal" patch that doesn't need the co-operation of foot-dragging vendors? Less tongue in cheek, I think it is reasonable to assume that *some* people are working on such a thing, even if Intel aren't.

        1. phuzz Silver badge

          Re: Who/What does the "secure" in Secure Boot refer to?

          Secure Boot isn't really a layer, its basically the modern equivalent of that BIOS option (which nobody used) which made the MBR read-only. It's part of the UEFI,

          As for how you can patch, the Intel ME is part of the motherboard chipset, so it'll be your motherboard vendor you need to wait for (good luck with that). They'll get the updated code from Intel and will have to package in in the correct way to flash their own hardware.

          As for how exactly the patch would be applied, I don't know, but I suspect in similar ways to the patches that server manufacturers release to update things like BMCs and RAID controllers. That is to say, you might be able to run a program from inside your OS, or you might have to boot from USB into DOS and patch that way.

          As for your last suggestion, just because the Intel ME allows access to the OS, doesn't mean you have enough control over the ME to re-flash it.

        2. Anonymous Coward
          Anonymous Coward

          "How is the patch applied?"

          That's really depend on how it is interfaced with the rest of the system, and if it can be patched while an OS is running (which mans it controls memory addresses and I/O ports), or if it has to be done at boot before an OS is run so there's much more freedom (i.e. put the new code at a specific hardware address and then tell the chip to load it through an I/O command). Being a processor working on its own, it has probably its own memory, still you may need to transfer the code there.

          On server, usually this updates can be done fully without any need to reboot the machine, both from the out of band management interface or from the OS - but probably they also have more dedicated resources. On a desktop a reboot is less an issue, but you still need the patch.

          Still, the actual code doing the upgrade may check the new code is from a trusted source - and if the signature is specific, it needs to come from the HW vendor. There's also a chance some implementation details needs to be specified by the HW vendor based on the motherboard design, so the the firmware may need to be customized.

  3. trevorde

    Just worried about all the older systems, or those from second tier suppliers, which won't ever be patched :-(

    1. fnusnu

      Older systems aren't affected :)

      Heritage systems FTW!

    2. Anonymous Coward
      Anonymous Coward

      Happily, it appears my T420 is not affected although upgrades of unaffected systems are limited. The T440 with an i7 and 16 Gigs o'ram would probably be noticeable and that one is marked as unaffected, as well.

  4. Anonymous Coward
    Anonymous Coward

    Just bought a HP Gen10 Microserver. I was originally a bit bothered that it had an AMD Opteron processor, but now I'm actually quite pleased...

    1. Dan 55 Silver badge

      The PSP on an AMD Opteron is the same thing with a different name.

      1. TrumpSlurp the Troll Silver badge
        WTF?

        PSP bugs?

        I was also considering I might have dodged a bullet by building an AMD system.

        O.K. AMD has a similar feature to Intel, but does it have the same (or equivalent) bugs? If so, why aren't they being reported in the articles?

        1. Christian Berger Silver badge

          Re: PSP bugs?

          "O.K. AMD has a similar feature to Intel, but does it have the same (or equivalent) bugs? If so, why aren't they being reported in the articles?"

          This is highly complex closed software nobody ever took a look at. I think it's highly unlikely that they made a better job than Intel.

        2. Anonymous Coward
          Anonymous Coward

          Re: PSP bugs?

          One this is not found int their desktop line of CPU.

    2. Christian Berger Silver badge

      It's likely that AMD has exactly the same kind of problems.

  5. Anonymous South African Coward Silver badge

    Can't you zap the offending chippery with a cattleprod?

    1. Anonymous Coward
      Anonymous Coward

      Can't you zap the offending management with a cattleprod?

      See title.

      1. TheVogon Silver badge

        Re: Can't you zap the offending management with a cattleprod?

        Yes, I would imagine that would do the job.

        nb - as the "offending management" is part of your main CPU, that might not be an ideal solution if you wish to retain any operational functionality...

      2. Anonymous Coward
        Anonymous Coward

        Re: Can't you zap the offending management with a cattleprod?

        No you cannot.

        Protected species. By MiB. It is not a bug, it is a feature and it is there upon request.

        If you read nearly every government tender by nearly every friendly or not-so friendly government in the last 10 years you will see vPro or a subset of it as a mandated feature. So it is not surprising that it was backdoored to ensure that EVERY SINGLE GOVERNMENT INSTALLATION IN EVERY GOVERNMENT WORLDWIDE is hackable with a mere USB key.

        Who backdoored it and when we will never know (I suspect he is sipping a pina colada on the Caiman islands as a part of a "witness protection" programme).

        1. Bronek Kozicki Silver badge
          Black Helicopters

          Re: Can't you zap the offending management with a cattleprod?

          @AC here is appropriate icon for you, as you were unable to select it yourself ->

        2. DJO Silver badge

          Re: Can't you zap the offending management with a cattleprod?

          sipping a pina colada on the Caiman islands

          I suspect you meant Cayman Islands, a Caimen is an alligatorid crocodilian and an island made of them would not be a happy place.

          1. g00se
            Facepalm

            Re: Can't you zap the offending management with a cattleprod?

            I suspect you meant Cayman Islands, a Caimen is an alligatorid crocodilian

            So, why not take your best guess, therefore, at how the Cayman Islands (formerly called 'Caimanas' and before that 'Lagartos' [lizards] ) got their name?

  6. Anonymous Coward
    Anonymous Coward

    ME engine takes over even when device is in off. Check orwl.org for Protection on USB ports.

  7. lglethal Silver badge
    Go

    Information please

    OK I havent read up too much on this Intel failure, so I'm a bit behind the times.

    For those of us on self built PC's, do we need to wait on Motherboard manufacturers to release bios updates? Will the update come over Windows Update? Or do we have to go hunting for the update over on the Intel site?

    And how urgent is the need for this update? Exploit in the wild or just an advisory that an exploit is probably on the way?

    Cheers for any info...

    1. Anonymous Coward
      Anonymous Coward

      Re: Information please

      Yes, for self-build you need to wait for the update from the motherboard manufacturer, or do some low level messing with your motherboard.

      There's no known active exploit YET.

      The 'low level messing' comes via Nicola Corna's me_cleaner which modifies the firmware to neutralise the Management Engine so far as is possible - whether it's far enough is another issue. To do this you need to extract the firmware from the flash chip, and reload the modified firmware afterwards. This is usually done with a raspberry pi or beaglebone connecting to the flash chip's SPI interface.

  8. Christian Berger Silver badge

    Well the fiasco is only about to come

    Servers typically use the internal network chip, so they are likely to be affected by this. Considering firmware updates require at least a reboot and even then are hard to apply, we will probably see the first worms soonish.

    1. Anonymous Coward
      Anonymous Coward

      "Considering firmware updates require at least a reboot and even then are hard to apply"

      Apply them at the first reboot you need - and being this mostly a desktop/laptop issue it could be whenever you like. Don't know why you think they are "hard to apply" - usually you run a simple app and everything is done automatically. The days you need to clear and flash an EEPROM yourself are gone...

  9. Anonymous Coward
    Anonymous Coward

    If they cannot disable it completely then

    they should recall effected hardware and offer an reasonable alternative, cash for original system or secure CPU of same power.

    Does trading standards still exist?

    1. Adam 52 Silver badge

      Re: If they cannot disable it completely then

      Trading Standards the organisation? Yes, but not in any realistic sense, as they no longer have a consumer facing arm and are fronted by Citizen's Advice (on a not-what-OFCOM-would-call-premium-but-still-expensive-rate phone number) who file all complaints in the bin.

  10. WibbleMe

    So I'm not upgrading until 2019... oh hello AMD

  11. mark l 2 Silver badge

    The problem with this type security hole - that isn't part of the OS- is that a huge amount of computers will never get patched because their users are blissfully unaware that a problem even exists and it is doubtful that firmware patches will be delivered by their OS automatic updates.

    Unfortunately outside of the technology media it doesn't really get a mention, so the first a lot of people will know about it is when the virus writers get a working exploit and millions of users will find there computers taken over by malware or ransomware.

    1. M man

      or part off a botnet that will never get swatted. remember this is INVISIBLE to the os.

      There could be infection out there as we speak, if they keep thier cpu load low nowbody will ever know.

      An undectectable, full admin,network able, reinstall proof, full access bug,

      All this is missing is remote injection.......Currently...i suspect badusb will get recruited for that duty somhow,

      and remember, if your machine is comprised in another way the firmware could be rolled back.

      1. Anonymous Coward
        Anonymous Coward

        It's three AM. Why is your network so busy?

        "There could be infection out there as we speak, if they keep thier cpu load low nowbody will ever know."

        Maybe so.

        First, let's note that nobody in the world understands the CPU workload on a Window box at any given moment (e.g. hundreds of unaccountable threads associated with servicehost.exe, some of which go compute-bound from time to time for no visible reason). So CPU load isn't much of an indicator.

        People might have hoped there might be some kind of visible symptom on the network in some cases.

        Actually, for years, even on my trivial home LAN (PC, laptop, printer/scanner, SoHo switch/router, satellite TV box, Slingbox, etc) there's so much basically-unnecessary carp flying around that any malware would find it relatively easy to hide its network traffic in the mess of "legitimate" stuff.

        Not ideal.

        1. jijim

          Re: It's three AM. Why is your network so busy?

          you're right about "nobody in the world understands the CPU workload on a Window box at any given moment"

          but

          that won't be the place where the load on the ME "co-processor" (for the lack of a better term) will show up, even if it's maxed out.

  12. g00se
    WTF?

    IME

    The flaws struck multiple flaws in Intel's Management Engine ... make it possible to run code that operating systems – and therefore sysadmins and users – just can't see.

    Sorry to have to break it to you, but that's the whole point of Intel ME anyway. I shan't query the very odd first five words of the quoted sentence yet ...

  13. S4qFBxkFFg

    Seriously considering moving to a power9 system in the new year - it's not cheap, would require new CPU/motherboard/memory, and I'm under no illusions about IBM being any less evil than Intel/AMD/ARM, but it's looking like a better option every time another one of these articles comes out.

    1. Anonymous Coward
      Anonymous Coward

      Given the endemic hardware level security problems with Intel architecture chips, it may be time to consider a judiciously chosen ARM chip, particularly now that they are available in 64 bit models. Couple that with a good Linux, and you are a significantly harder target.

      1. DainB Bronze badge

        Given that ARM only licenses cores and everything else in the chip was put there on discretion of manufacturers, half of which do not even bother to make available SDK let alone publish comprehensive documentation, process of judiciously choosing ARM CPU might be much longer than you think.

      2. LDS Silver badge

        "it may be time to consider a judiciously chosen ARM"

        Yes, really judiciously, remember the Qualcom TrustZone blunder?

        See for example https://googleprojectzero.blogspot.it/2017/07/trust-issues-exploiting-trustzone-tees.html

      3. keithzg

        Long term you might be better off pursuing OpenRISC or RISC-V.

    2. DainB Bronze badge

      I'm sure whatever you have on your computer is well worth it.

      Everything else you care about will be stolen from the cloud.

      1. M man

        ...yep the network band with, cpu cycles and storage space.

        thier personal cloud...partially on your machine.

  14. bob, mon!
    Facepalm

    Thank you, Lenovo?

    Their list of laptops includes the T440s - "not affected", and the T460s - "affected". So where does that leave my T450s??? "Sort of affected"? "Deeply moved"? "Concerned, but not really bothered"?

    Fortunately, Lenovo also listed the relevant firmware numbers, and a reboot and BIOS check suggests that I have an older, unaffected version of the ME firmware. Sure wish they'd included my machine in the list though, makes me feel somewhat abandoned.

  15. MrBoring

    Isn't this exactly the same thing that happened in May?

  16. John Klos
    Mushroom

    Just spent nearly two hours updating...

    Updated IPMI and BIOS on a Supermicro system. IPMI took more than 45 minutes. BIOS had to be updated twice because system wasn't in "manufacturing mode". All BIOS settings had to be manually reset.

    Supermicro didn't announce updates, nor did they say whether these updates correct the known Intel ME problems, but considering that there are many BIOS updates for many models of Supermicro motherboards, all dated sometime in October, I wouldn't be surprised if they do a "fix first, announce later" kind of thing.

    This was a test to see how long updates for other Supermicro systems will take, and the results are pitiful.

    Let's hope this was the official fix and I don't have to spend another hour or two to upgrade later.

  17. J J Carter Silver badge
    Thumb Down

    Please help Nan

    Nan rang in tears last night, worried the Q6600 CPU in her PC has been back-doored; well done Intel for frightening an old lady.

  18. get off

    Lenovo update on HP G4

    Call me foolhardy but in a moment of madness I did the following

    1) Intel 'are you vulnerable' tool.... Answer "Yes" i5 skylake. HP G4 250

    2) Nothing on HP site but for HP enterprise servers. Massive list of 'do this, then do that' - these massive throbbing server machines only.

    3) I download the Lenovo update for this from the linked page. Run it..

    4) Intel 'are you vulnerable' tool.... Answer. "No. Not any more"

    I know it says that the drives have to be signed by each manufactuer but this is the same Skylake processer as is in all machines surely? Was I just lucky? Possibly, (main laptop machine too!) Advisable for all? Prob not...............

    Just my experience

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019