Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Fanfold Paper
Posts: 4
Registered: ‎01-31-2015
Location: US
Message 1 of 10 (4,177 Views)

Update vulnerable Intel ME on Linux

Just tested my Thinkpad 13 with Intel-SA-00086 Detection Tool and found that my system is vulnerable.

Name: ThinkPad
Manufacturer: LENOVO
Model: 20GJ001HMH
Processor Name: Intel(R) Core(TM) i3-6100U CPU @ 2.30GHz
OS Version: Ubuntu 17.10 artful (4.13.0-17-generic)
Engine: Intel(R) ME
Version: 11.0.10.1002
SVN: 1
Status: DISCOVERY_VULNERABLE
Tool Stopped 

How to fix this vulnerability using Ubuntu Linux?

LP6
Paper Tape
Posts: 1
Registered: ‎11-21-2017
Location: US
Message 2 of 10 (4,113 Views)

Re: Update vulnerable Intel ME on Linux

[ Edited ]

Same here (T460s). We need a patch for Linux please.

 

----------------------------------------------------------------------------

INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.128
Scan date: 2017-11-21 19:09:32 GMT

*** Host Computer Information ***
Name: ########
Manufacturer: LENOVO
Model: 20F9005FUS
Processor Name: Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz
OS Version: Ubuntu 17.10 artful (4.13.0-16-lowlatency)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 11.0.16.1000
SVN: 1

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is vulnerable.
Explanation:
The detected version of the Intel(R) Management Engine firmware is considered vulnerable for INTEL-SA-00086.
Contact your system manufacturer for support and remediation of this system.


For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

 

802.11n
Posts: 182
Registered: ‎07-11-2017
Location: US
Message 3 of 10 (4,111 Views)

Re: Update vulnerable Intel ME on Linux

Have to wait for Lenovo to release firmware to fix. Keep tabs on your device updates. Although I question if every devices affected will get fix? I have my doubts. 

What's DOS?
Posts: 1
Registered: ‎11-22-2017
Location: US
Message 4 of 10 (3,820 Views)

Re: Update vulnerable Intel ME on Linux

Same for me (T460s). Really looking forward to a firmware update utility for Linux.

fen
Punch Card
Posts: 10
Registered: ‎01-02-2009
Location: US
Message 5 of 10 (3,785 Views)

Re: Update vulnerable Intel ME on Linux

[ Edited ]

Same for me (T460s). Never liked the Management Engine - a ghost processor I have no control over nor way to monitor that has access to all my files and processes.

*** Host Computer Information ***
Name: truckin
Manufacturer: LENOVO
Model: 20F9CTO1WW
Processor Name: Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz
OS Version: (4.13.12-1-ARCH)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 11.0.18.1002
SVN: 1

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is vulnerable

The Lenovo Security Advisory  points to Chipset updates that run under Windows. Will there be a Linux-based updater?

Paper Tape
Posts: 4
Registered: ‎10-20-2017
Location: SI
Message 6 of 10 (3,620 Views)

Re: Update vulnerable Intel ME on Linux

Risk Assessment
Based on the analysis performed by this tool: This system is vulnerable.


Explanation:
The detected version of the Intel(R) Management Engine firmware is considered vulnerable for INTEL-SA-00086. Contact your system manufacturer for support and remediation of this system.
For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

INTEL-SA-00086 Detection Tool
Application Version: 1.0.0.128
Scan date: 22. 11. 2017 23:45:19

Host Computer Information
Name: I700
Manufacturer: LENOVO
Model: 80RU
Processor Name: Intel(R) Core(TM) i5-6300HQ CPU @ 2.30GHz
OS Version: Microsoft Windows 10 Pro

Intel(R) ME Information
Engine: Intel(R) Management Engine
Version: 11.0.0.1202 
SVN: 1

Copyright(C) 2017, Intel Corporation, All rights reserved.

IdeaPad 700 is also vulnerable but I don't see it on this list https://support.lenovo.com/si/en/product_security/len-17297#IdeaPad. Did you miss it?

What's DOS?
Posts: 1
Registered: ‎11-23-2017
Location: DE
Message 7 of 10 (3,497 Views)

Re: Update vulnerable Intel ME on Linux

Im stuck on an insecure version as Im running Ubuntu 17.04

 

$ sudo ./intel_sa00086.py
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.128
Scan date: 2017-11-23 11:16:24 GMT

*** Host Computer Information ***
Name: x1carbon
Manufacturer: LENOVO
Model: 20HRCTO1WW
Processor Name: Intel(R) Core(TM) i7-7600U CPU @ 2.80GHz
OS Version: Ubuntu 17.04 zesty (4.10.0-21-generic)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 11.6.10.1196
SVN: 1

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is vulnerable.
Explanation:
The detected version of the Intel(R) Management Engine firmware is considered vulnerable for INTEL-SA-00086.
Contact your system manufacturer for support and remediation of this system.


For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

I need a USB bootable fix for this.  As the x1carbon does not have a CD / DVD drive.  Please dont make a Windows bootable CD again.

Fanfold Paper
Posts: 3
Registered: ‎01-31-2016
Location: US
Message 8 of 10 (3,269 Views)

Re: Update vulnerable Intel ME on Linux

I did manage to patch my Linux - only Thinkpad P50 with the Windows patch available from Lenovo here : https://support.lenovo.com/bg/en/product_security/len-17297 . The procedure however is somewhat arcane and I do not volunteer to guide you through the details. Just the basic scheme :

 

1/ Use a Windows virtual machine to create a Windows To Go installation on an USB drive. The tool for that is available here : https://rufus.akeo.ie/

2/ Boot from the Windows To Go drive and install a driver pack from Lenovo.

3/ Run the Lenovo fix tool.

 

Now the system shows up as fixed under both Windows and Linux.

 

Fanfold Paper
Posts: 4
Registered: ‎01-31-2015
Location: US
Message 9 of 10 (1,923 Views)

Re: Update vulnerable Intel ME on Linux

Finally patched this vulnerability, but it took quite some time to prepare. I've used this guide: https://www.flamingspork.com/blog/2017/11/22/updating-windows-management-engine-firmware-on-a-lenovo...

Some steps can be skipped, e.g. step 5, as driver files were already extracted, but in different directory.

It is important to disable Secure boot and turn on Legacy boot mode when booting winpe.

Lenovo, please make update process easier for Linux users.

What's DOS?
Posts: 2
Registered: ‎01-10-2017
Location: US
Message 10 of 10 (1,588 Views)

Re: Update vulnerable Intel ME on Linux

Can we look forward to a firmware update tool that runs on Linux? I have a Lenovo X1 Carbon (4th Gen).

Top kudoed Authors