蓝盟诗人[LUC]蓝客联盟

忘记密码

Intel CPU处理芯片近日被爆出存在设计缺陷(Intel-SA-00086)(英文)

2018-01-04 13:03 作者: 来源: Intel 浏览: 218 views 我要评论 字号:

1.Related Articles

intel-sa-00086-support (Engilish)

intel-sa-00086-support-en

intel-sa-00086-support (中文)

intel-sa-00086-support-cn

intel-sa-00086-offical-security-center-notice

intel-sa-00086-offical-security-center-notice

Intel SA-00086 Detection Tool 下载

Intel SA-00086 Detection Tool Download英特尔处理器ME管理引擎安全漏洞检测工具 下载

2.Details

Intel® Management Engine (Intel® ME 6.x/7.x/8.x/9.x/10.x/11.x), Intel® Trusted Execution Engine (Intel® TXE 3.0), and Intel® Server Platform Services (Intel® SPS 4.0) vulnerability (Intel-SA-00086)

In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of the following with the objective of enhancing firmware resilience:

  • Intel® Management Engine (Intel® ME)
  • Intel® Trusted Execution Engine (Intel® TXE)
  • Intel® Server Platform Services (SPS)

Intel has identified security vulnerabilities that could potentially impact certain PCs, servers, and IoT platforms.

Systems using Intel ME Firmware versions 6.x-11.x, servers using SPS Firmware version 4.0, and systems using TXE version 3.0 are impacted. You may find these firmware versions on certain processors from the:

  • 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, and 8th generation Intel® Core™ Processor Families
  • Intel® Xeon® Processor E3-1200 v5 and v6 Product Family
  • Intel® Xeon® Processor Scalable Family
  • Intel® Xeon® Processor W Family
  • Intel Atom® C3000 Processor Family
  • Apollo Lake Intel Atom® Processor E3900 series
  • Apollo Lake Intel® Pentium® Processors
  • Intel® Pentium® Processor G Series
  • Intel® Celeron® G, N, and J series Processors

To determine if the identified vulnerabilities impact your system, download and run the Intel-SA-00086 Detection tool using the links below.

Available resources

Resources for Microsoft and Linux* users

NoteVersions of the INTEL-SA-00086 Detection Tool earlier than 1.0.0.146 did not check for CVE-2017-5711 and CVE-2017-5712. These CVEs only affect systems with Intel® Active Management Technology (Intel® AMT) version 8.x-10.x. Users of systems with Intel AMT 8.x-10.x are encouraged to install version 1.0.0.146, or later. Installing this version helps to verify the status of their system with regard to the INTEL-SA-00086 Security Advisory. You can check the version of the INTEL-SA-00086 Detection Tool by running the tool and looking for the version information in the output window.

Resources from system/motherboard manufacturers

NoteLinks for other system/motherboard manufacturers will be provided when available. If your manufacturer is not listed, contact them for information on the availability of the necessary software update.

Frequently asked questions:

Q: The Intel-SA-00086 Detection Tool reports that my system is vulnerable. What do I do?
A: 
Intel has provided system and motherboard manufacturers with the necessary firmware and software updates to resolve the vulnerabilities identified in Security Advisory Intel-SA-00086.

Contact your system or motherboard manufacturer regarding their plans for making the updates available to end users.

Some manufacturers have provided Intel with a direct link for their customers to obtain additional information and available software updates (Refer to the list below).

Q: Why do I need to contact my system or motherboard manufacturer? Why can’t Intel provide the necessary update for my system?
A: 
Intel is unable to provide a generic update due to management engine firmware customizations performed by system and motherboard manufacturers.

Q: My system is reported as may be Vulnerable by the Intel-SA-00086 Detection Tool. What do I do?
A: 
A status of may be Vulnerable is usually seen when either of the following drivers aren't installed:

  • Intel® Management Engine Interface (Intel® MEI) driver
or
  • Intel® Trusted Execution Engine Interface (Intel® TXEI) driver

Contact your system or motherboard manufacturer to obtain the correct drivers for your system.

Q: My system or motherboard manufacturer is not shown in your list. What do I do?
A: 
The list below shows links from system or motherboard manufacturers who have provided Intel with information. If your manufacturer is not shown, contact them using their standard support mechanisms (website, phone, email, and so on) for assistance.

Q: What types of access would an attacker need to exploit the identified vulnerabilities?
A: 
If the equipment manufacturer enables Intel-recommended Flash Descriptor write protections, an attacker needs physical access to platform’s firmware flash to exploit vulnerabilities identified in:

  • CVE-2017-5705
  • CVE-2017-5706
  • CVE-2017-5707
  • CVE-2017-5708
  • CVE-2017-5709
  • CVE-2017-5710
  • CVE-2017-5711

The attacker gains physical access by manually updating the platform with a malicious firmware image through flash programmer physically connected to the platform’s flash memory. Flash Descriptor write-protection is a platform setting usually set at the end of manufacturing. Flash Descriptor write-protection protects settings on the Flash from being maliciously or unintentionally changed after manufacturing is completed.

If the equipment manufacturer doesn't enable Intel-recommended Flash Descriptor write protections, an attacker needs Operating kernel access (logical access, Operating System Ring 0). The attacker needs this access to exploit the identified vulnerabilities by applying a malicious firmware image to the platform through a malicious platform driver.

The vulnerability identified in CVE-2017-5712 is exploitable remotely over the network in conjunction with a valid administrative Intel® Management Engine credential. The vulnerability is not exploitable if a valid administrative credential is unavailable.

If you need further assistance, contact Intel Customer Support to submit an online service request.

打印
分享到:
复制链接

发表评论

*

* (保密)

icon_wink.gif icon_neutral.gif icon_mad.gif icon_twisted.gif icon_smile.gif icon_eek.gif icon_sad.gif icon_rolleyes.gif icon_razz.gif icon_redface.gif icon_surprised.gif icon_mrgreen.gif icon_lol.gif icon_idea.gif icon_biggrin.gif icon_evil.gif icon_cry.gif icon_cool.gif icon_arrow.gif icon_confused.gif icon_question.gif icon_exclaim.gif

Ctrl+Enter 快捷回复

会员登录关闭

记住我 忘记密码

注册会员关闭

小提示: 您的密码会通过填写的"电子邮箱"发送给您.