Intel CPUs since Skylake susceptible to USB vulnerability

[Kenrou]

http://www.guru3d.com/news-story/intel-cpus-since-skylake-susceptible-to-usb-vulnerability.html

"For some details, we'll have to wait, but what's known now is bad enough: Positive has confirmed that recent revisions of Intel's Management Engine (IME) feature Joint Test Action Group (JTAG) debugging ports that can be reached over USB. JTAG grants you pretty low-level access to code running on a chip, and thus we can now delve into the firmware driving the Management Engine."

 

[EarthDog]

And people are noided out by w10... ?!!

 

[Woomack]

It's only what was checked recently but who says that previous series were "safe". There were issues with Intel USB since I remember. Nearly every generation has some issues.

Other thing is that I have enough of Win10 already. Recently at one client's office after Win10 update all computers have issues and MS says pay for support as it's not their fault Windows update was turned off on these computers and still installed updates.

 

[mackerel]

The potential attack over USB connector (doesn't actually communicate over USB as I understand it) is quite technical, so I think for home users the risk from this is very slim. Someone is going to have to really want to go after you to make use of this.

Windows update was turned off on these computers and still installed updates.

How was it disabled? I've found stopping and disabling the WU service works on my systems, at least up to FCU where it is too early to say.

 

[Woomack]

How was it disabled? I've found stopping and disabling the WU service works on my systems, at least up to FCU where it is too early to say.

There was domain policy which supposed to disable it on all client workstations but it didn't work and some updates were still installing. So we turned off service manually on each PC but some updates were still installing. After last updates some regional settings lost owner and I mean like in registry, regional settings group has no owner so even administrator can't change it. Couple of months ago on some computers was something else. Every domain user except admins couldn't log onto user's account. It was automatically logging off each non-admin user. On single computers can reinstall OS to fix it but when there are 50+ computers in 2 towns 300km+ from each other then it already takes some time and money.

 

[Alaric]

It's only what was checked recently but who says that previous series were "safe". There were issues with Intel USB since I remember. Nearly every generation has some issues.

Other thing is that I have enough of Win10 already. Recently at one client's office after Win10 update all computers have issues and MS says pay for support as it's not their fault Windows update was turned off on these computers and still installed updates.

I got this
New Addition Thanks to wagex for this link https://github.com/crazy-max/Windows...wiki/dataHosts If you don't have the equipment or know how to stop all the little nasties from phoning home, via your router in your Windows 10 install, you can copy and paste to your Hosts file. Yes, Windows 7/8/8.1 are listed there, too. You didn't think M$ just started this game with W10, did you?

from here http://www.overclockers.com/forums/showthread.php/773926-quot-Cortana-you-re-fired!-quot

wagex has had the best solution I know of so far-stop the OS at the firewall. Just don't allow the various nasties to phone home by shutting off their access.

 

[Dolk]

So I made a post in the Intel thread but I'll just go over it again here.

Don't put your tin foil hats on, and don't freak out. The ME module is somewhat new, although there are other forms of it in older chips (including AMD, ARM, etc). First off, the technical expertise in order to gain the root access shown by the security team is very very high. You also need to do this before the board gets to you, or you know a secret agent visits your house while you are on vacation. Either way, most of the requirements are disabled/turned off/removed by the time you receive the motherboard. Yes you need the right motherboard hooks to get this to work. Besides, state governments have much better and less evasive tools to get into your systems. You don't need to worry about some russian script kiddy trying to exploit this one.

Go about your business and make sure to say thank you to your webcam, your friendly Russian/American/Chinese/British/German government always appreciates it.

 

[Kenrou]

UPDATE: https://www.techpowerup.com/239016/...me-security-flaws-company-outs-detection-tool

TLDR: “Security researchers have found glaring security flaws with Intel Management Engine” ... “These security flaws render "potentially millions" of PCs and notebooks” ... “Intel on Monday released a Detection Tool application that lets you identify vulnerabilities” ... “suggests updates to Intel Management Engine drivers, or points to BIOS updates“ ... “Updates to Intel ME are specific to TXE 3.0 (trusted execution engine version 3.0), which is featured on processors based on "Skylake," "Kaby Lake," and "Coffee Lake".

 

[mackerel]

Just tried the tool, and not surprisingly it reported my main system as vulnerable. I went to Asus website to check for my main system mobo and there was an ME update dated 2017/11/09, so it has potentially been out for a while. I'll install that shortly. Note it doesn't appear to be a new bios, just an ME update. I'll also have the fun of looking at other systems similarly.

Asrock Z370 Pro4 - Current bios not vulnerable, presumably ME update included in bios 1.30 dated 2017/11/2
Asus Z170 Maximus VIII Hero - ME update available, dated 2017/11/22
Asus Z170I Pro Gaming - ME update available, dated 2017/12/10
MSI GE62 6QF - bios (2017-12-08) and ME update (2017-12-12) available. Need to update bios then ME.

Asus X299 TUF Mark 2 - current bios vulnerable, dated 2017/12/10
MSI Z170A Gaming Pro - current bios vulnerable, dated 2017-04-24

 

[Alaric]

Gigabyte has had it since June 28 (for my board, anyway). Not the best news as I just got several issues fixed with the BIOS. Haven't had the best luck mucking about with it on this board.

 

[mackerel]

Bios updates are still trickling in... I need to update the table above when I get a chance.

Asus Z170I got an update.
MSI GE62 6QF got an update.

Going by Batboy's posts in another thread the X299 TUF mk2 update doesn't fix it, but I still haven't had a chance to try myself yet.
I also found one of my HPE systems is also vulnerable, but the bios update is behind a paywall so I can't get it. As such they just lost my recommendation of their entry server kit as an alternative to consumer level gear.

 

[Nebulous]

No update for my ASRock Z270 Extreme 4 yet

 

[Alaric]

Reflashed mine twice. Once for the HT issue and once for the microcode. Now it's all screwed up again and booting in to Windows 7 is a convoluted PITA once again. Last Gigabyte board I'll be buying. I like the audio quality, but I'll just get an outboard DAC and go back to Asus.

 

[mackerel]

It's patchy day!

Asus Z170I has ME update. Couldn't install at first asking me to update driver. Turned out my MEI driver was too old, got latest one hidden on the mobo download page and it installed no fuss after that.
MSI GE62 6QF laptop needed two step update. First a new bios to enable the ME update, and ME update itself.
Asus X299 TUF Mark 2 update installed. Confirmed this does NOT update ME so remains vulnerable. Pull your finger out Asus!

No news on MSI Z170A Gaming Pro yet.

 

[DaveB]

No tin foil hat for me! The 1.60 BIOS, dated 12/5/17, included ME 11.8.50.3425 as well as some VGA compatibility update for my ASRock Z370M-ITX/ac.

 

[Nebulous]

No update for my ASRock Z270 Extreme 4 yet

*Update*

Finally a bios update (v2.30) that fixes the IME vulnerability I just got a "Critical Process Died" BSOD which I'm still searching the cause. Might be this IME?

 

[EarthDog]

Not to troubleshoot in this thread, but... set your shyte back to stock and see if it happens... or dig and find out what process actually died.