This is a static archive of the old Zorin Forum.

The information below may be outdated. Visit the new Zorin Forum here ›

If you have registered on the old forum, you will need to create an account on the new forum.

Intel Management Engine Security issue and how to fix

Swarfendor437

Sun Dec 10, 2017 10:42:34 pm

[UPDATED 13.12.2017]

Windows and GNU/Linux
First download the GNU/Linux detection tool to test if your processor is vulnerable from here:

https://downloadcenter.intel.com/download/27150

[Scroll to the bottom of the page to see which Hardware Manufacturer's have released a fix]

GNU/Linux
Download the .tar.gz file to your Downloads folder.
Extract all the files into this location - it should create a folder with all the necessary files within it with the same name as the .tar.gz. folder.
The python file that sits outside the other folders will need checking that the permissions tab has the 'executable' element check marked (intel_sa00086.py)
There are two other items that also need to be checked for permissions inside of 'common' (spsInfoLinux64 and spsInfoLinux64_3) as executables. (In Zorin 12 they are automatically marked as 'executable' in the permissions tab - I cannot vouch the same for Zorin 9.

Open a Terminal and navigate to Downloads | SA00086_Linux and enter

Code:
python ./intel_sa00086.py


Here were the results of a machine at work:

"vidmaker1@vspersamsung1:~/Downloads$ cd SA00086_Linux
vidmaker1@vspersamsung1:~/Downloads/SA00086_Linux$ sudo ./intel_sa00086.py
[sudo] password for vidmaker1:
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.146
Scan date: 2017-12-11 09:56:51 GMT

*** Host Computer Information ***
Name: vspersamsung1
Manufacturer: SAMSUNG ELECTRONICS CO., LTD.
Model: R530/R730/R540
Processor Name: Intel(R) Core(TM) i3 CPU M 380 @ 2.53GHz
OS Version: Zorin 12 xenial (4.10.0-40-generic)

*** Risk Assessment ***
Detection Error: This system may be vulnerable,
either the Intel(R) MEI/TXEI driver is not installed
(available from your system manufacturer)
or the system manufacturer does not permit access
to the ME/TXE from the host driver.

For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
Intel Security Advisory Intel-SA-00086 at the following link:
https://www.intel.com/sa-00086-support

vidmaker1@vspersamsung1:~/Downloads/SA00086_Linux$" (End of Terminal Report)

Have visited the Samsung site in the UK and their interface is apalling - when you want to get to send an email to support it wants to direct you to FAQ's!

Windows
Having built two PCs for family members using Asus Maximus VIII Ranger motherboards I had to go to Asus Website to download the correct fix for Windows. I am not sure what the method is for GNU/Linux from Asus, but I am just sharing with you the information in respect of Windows - one PC had Windows 7 Pro and another Windows 8.1 Pro - it would appear that the same fix works on both versions of Windows - newer Asus Mother boards (Z370 processors) have a BIOS item to update that will fix this.

Personally I prefer AMD processors. Any Intel Processor produced since 2008 is potentially vulnerable. Also after you have applied the fix, run the detection tool again - it should report your processor as patched.

Anyone with an Asus Motherboard should go to their site and go to the Product Page | Support then look for Drivers and download the ME Update Tool from that Page.

Boards with Z170 and Z270 updates via the downloaded fix from within Windows but be sure to stop all running applications such as Spotify, Skype, any ancillary apps in the System Tray, then disconnect from the Internet, then close AntiVirus program. Before extracting the ME update tool check the download integrity of the md5 sum using the md5free tool from Winmd5.com - you need to check the integrity of the zip file NOT its contents!

Z370 boards from ASUS have an update tool from within the BIOS utility.

How to use winmd5 in my tutorial video here:

http://www.veoh.com/watch/v28335038JpeNGXzP

Please be advised asus uses md5 - other manufacturers may use SHA256 verification. For that look here:

https://www.maketecheasier.com/verif...sum-windows10/

Macs

Interesting article here:

https://apple.stackexchange.com/questio ... ble/306973