koldfront

Updating Intel ME on a Lenovo Carbon X1 3rd gen #commandline #computers #hardware #security

🕢︎ - 2017-12-09

No doubt to Andrew S. Tanenbaum's great joy recent news have revealed that many Intel processors run a version of Minix on some kind of extra "security" core.

Unfortunately it seems to be full of holes.

After downloading and running a tool from Intel to check whether my system was vulnerable, Intel-SA-00086 Detection Tool , and getting the unfortunate message:

  Based on the analysis performed by this tool: This system is vulnerable.
  Explanation:
  The detected version of the Intel(R) Management Engine firmware
    is considered vulnerable for INTEL-SA-00086.
    Contact your system manufacturer for support and remediation of this system.

I started looking for how to update the faulty code in my processor.

I found a description on how somebody updated their Lenovo X1 Carbon 5th gen, Solved: Re: X1 Carbon 5th gen on Linux: How to update Intel Management Engine 11.8 Firmware??, which was basically a couple of amendments to another guide: Updating Intel Management Engine firmware on a Lenovo without a Windows Install, which was written for a Gen 4.

Here is what I did to upgrade my Lenovo X1 Carbon 3rd gen running Debian unstable:

Running the detection tool now says:

  INTEL-SA-00086 Detection Tool
  Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.146 Scan date: 2017-12-09 16:59:33 GMT

*** Host Computer Information *** Name: tullinup Manufacturer: LENOVO Model: 20BSCTO1WW Processor Name: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz OS Version: debian buster/sid (4.14.0-1-amd64)

*** Intel(R) ME Information *** Engine: Intel(R) Management Engine Version: 10.0.56.3002 SVN: 0

*** Risk Assessment *** Based on the analysis performed by this tool: This system is not vulnerable. It has already been patched.

For more information refer to the INTEL-SA-00086 Detection Tool Guide or the Intel Security Advisory Intel-SA-00086 at the following link: https://www.intel.com/sa-00086-support

Yay.

Add comment

To avoid spam many websites make you fill out a CAPTCHA, or log in via an account at a corporation such as Twitter, Facebook, Google or even Microsoft GitHub.

I have chosen to use a more old school method of spam prevention.

To post a comment here, you need to:

¹ Such as Thunderbird, Pan, slrn, tin or Gnus (part of Emacs).

Or, you can fill in this form:

+=