This is a static archive of the old Zorin Forum.

The information below may be outdated. Visit the new Zorin Forum here ›

If you have registered on the old forum, you will need to create an account on the new forum.

Intel Flaw - Management Engine (M E)

Finston Pickle

Wed Dec 06, 2017 6:41:31 pm

I'm not aware of Zorin 12 using the Intel M E feature to enable remote control of the laptop or PC.

Does this mean that anyone using Intel i3, i5 and i7 CPUs in their Zorin 12 laptop or PC will not need a firmware update from their device manufacturer?

OR

Are Zorin12 OS updates etc. or other made using the ME feature?

Swarfendor437

Wed Dec 06, 2017 11:25:37 pm

Most hardware code will come from maintainer's of the GNU/Linux kernel. What Zorin do is add security and other enhancements based on the DE Zorin provides. And remember Intel is commonly referred to as Wintel even though their employees are banned from using the term. ;) :D

Finston Pickle

Thu Dec 07, 2017 8:17:59 pm

No need to worry then?

Swarfendor437

Fri Dec 08, 2017 1:06:26 pm

Are you asking in terms of OS Stability or Security? ;) :D

Finston Pickle

Fri Dec 08, 2017 7:05:07 pm

Well - I don't know.

As far as what I read and for Windows users, it seems as this flaw makes possible the remote accessing of PCs and laptops and the the potential insertion of malicious code into the separate processor in the Intel CPU which handles the Management Engine (M E) function and thereby into the HDD. Whether the OS stabilty or security could be compromised? - I guess both could be.

I just wonderered whether Linux in general makes use of the Management Engines of various CPUs and in particular Intel i3, i5, and i7.

zorinantwerp

Fri Dec 08, 2017 8:13:59 pm

Intel provides a 'dedection tool' for windows and linux
Code:
https://downloadcenter.intel.com/download/27150

Swarfendor437

Fri Dec 08, 2017 11:35:56 pm

I would follow zorinantwerp's advice - more information here:

https://www.wired.com/story/intel-manag ... rvers-iot/

and here:

https://www.intel.com/content/www/us/en ... tware.html

and here:

https://thenextweb.com/security/2017/11 ... d-via-usb/

Thanks for bringing this to our attention Finston.

It would appear that only Lenovo are offering a solution at present and as usual it is left for the Vendors of hardware to pickup Intel's rose manure!

Finston Pickle

Mon Dec 11, 2017 8:24:35 am

Thanks for the updates.

I will comb through the advice and see if I can run the commnd line thingy - I hope there are full instructions - I am quite weak here.

I have also raised the topic with Entroware, who are a bespoke linux PC and Laptop supply company based in Liverpool.

I guess that their reply should be as good if not better than Lenovo's and apply to all Linux flavours.

Swarfendor437

Mon Dec 11, 2017 1:09:09 pm

Hi, see my Global Announcement which I have just updated here:

viewtopic.php?f=3&t=13588

Covers GNU/Linux and Windows

(Wonder why Macs aren't affected?)

Finston Pickle

Mon Dec 11, 2017 3:50:31 pm

Further Internet research has revealed that all the vulnerabilities apart from CVE-2017-5712: require physical access to your machine. Unlikely in my home environment.

For CVE-2017-5712:"Buffer overflow in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allows attacker with remote Admin access to the system to execute arbitrary code with AMT execution privilege." People with network access to a machine, and can log in as an admin, can execute code within the AMT suite.

AMT execution privilege is given by Intel seemingly - who to is not clear, but presumably motherboard and PC manufacturers. Had a thought that UEFI or safe Start might used it, but both were disabled on my machine by the manufacturer.

Can't say I am too worried at this stage even if I ran the Intel checker and found positives. Comments?

Also the risk assessment result Swarf received seems a bit wooly - is the machine at risk or not?

Swarfendor437

Mon Dec 11, 2017 7:20:33 pm

What it is saying is that it could be vulnerable - the two Skylake Processor machines I built for family members have had the Asus fix applied - better to be safe than sorry. ;) :D

Finston Pickle

Tue Dec 12, 2017 10:20:07 am

Thanks Swarf - Point taken - I'm going to run intel_sa00086.py once I have figured out how to do it by following your Global Announcement posting.

Finston Pickle

Tue Dec 12, 2017 10:24:13 am

I was going to post this on the Global announcement, but it is locked.

I have been asked by Entroware to run the Intel diagnostic intel_sa00086.py. I should be able to do this but I and perhaps some Newbies, would like some help.

I have downloaded and "extracted here" and the file is at home>downloads>SA0086>intel_sa00086.py and I have given the files the permissions that Swarf recommended.

The problem is one of a logical mind confused by years of Windows slashes one way and Linux going the other, coupled with having no idea where about in the file system the command-line starts - is it Home, Computer, USR or what?

So, the issue is how to follow Swarf's advice and navigate to the file before entering the run command. Can someone help, please?

Swarfendor437

Tue Dec 12, 2017 1:13:41 pm

OK, you download the .tar.gz file to Downloads - you extract it here and it makes a folder of the same name with all the files int - once all permissions have been set on the files I quoted you are good to go.

Open a Terminal - from the Menu it is under Utilities or keyboard shortcut of Ctrl+ Alt+ T. Then navigate to the folder with the python file in it like this.

1. cd Downloads
2. cd sa00086_Linux
3. now enter the command

Code:
python ./intel_sa00086.py
- now I have to admit, when I did it I may have run it as:

Code:
sudo ./intel_sa00086.py
it still ran - i would put 'sudo' in front of the 'python' bit at the start but spaced as:

Code:
sudo python ./intel_sa00086.py


What I failed to notice from the download page of the detection tool is a list of manufacturers at the bottom who have supplied a fix - Samsung is ominously missing!

Finston Pickle

Tue Dec 12, 2017 3:40:31 pm

Thanks for the update, Swarf, I am sure it will help more people than just me.

Entroware have told me they are working on a fix for my Kratos 1000 machine, which I will share in a separate posting, along with my hardware details - in case others have the same spec. machines.

Finston Pickle

Wed Dec 13, 2017 8:11:39 am

Swarf, I found that I had to use cd SA00086_Linux (This might help others).

Other than that everything worked well.

Thanks again.

Swarfendor437

Wed Dec 13, 2017 1:13:43 pm

Finston Pickle wrote:Swarf, I found that I had to use cd SA00086_Linux (This might help others).

Other than that everything worked well.

Thanks again.


See 2. in my post above!

"2. cd sa00086"

;) :D

Finston Pickle

Wed Dec 13, 2017 6:52:44 pm

"cd sa00086" was not recognised by my Zorin 12 machine; "cd SA00086_Linux" was.

Minor point really - thanks again for your posting of the details.

Swarfendor437

Wed Dec 13, 2017 8:35:15 pm

Finston Pickle wrote:"cd sa00086" was not recognised by my Zorin 12 machine; "cd SA00086_Linux" was.

Minor point really - thanks again for your posting of the details.


:oops: can't even read my own Global posting correctly! :lol:

Have corrected earlier posting! ;)