View unanswered posts | View active topics It is currently Mon Nov 12, 2018 5:47 pm



Reply to topic  [ 5 posts ] 
 Intel SA0086 and Spectre/Meltdown [Solved] 
Author Message

Joined: Sun Jan 14, 2018 12:10 pm
Posts: 3
Post Intel SA0086 and Spectre/Meltdown [Solved]
Hi,

just ran the official intel checker tool (intense pc pro), and according to the tool the intense pc is vulnerable.

1) Will there be a BIOS Update (latest is from mid 2017) to mitigate intel SA00086?

2) What's the status regarding Meltdown/Spectre?

Thanks for any info about these nasty topics,

Max

---tool output 1
Code:
#root@intense:/home/hra# python intel_sa00086.py
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.146
Scan date: 2018-01-14 12:04:10 GMT

*** Host Computer Information ***
Name: intense
Manufacturer: CompuLab
Model: Intense-PC
Processor Name: Intel(R) Core(TM) i7-3517UE CPU @ 1.70GHz
OS Version: debian 9.3  (4.9.0-5-amd64)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 8.1.71.3608
SVN: 0

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is vulnerable.
Explanation:
The detected version of the Intel(R) Management Engine firmware
  is considered vulnerable for INTEL-SA-00086.
  Contact your system manufacturer for support and remediation of this system.

For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
  Intel Security Advisory Intel-SA-00086 at the following link:
  https://www.intel.com/sa-00086-support


tool output 2:
Code:
./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.29

Checking for vulnerabilities against running kernel Linux 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64
CPU is Intel(R) Core(TM) i7-3517UE CPU @ 1.70GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  UNKNOWN
> STATUS:  UNKNOWN  (couldn't check (missing 'readelf' tool, please install it, usually it's in the 'binutils' package))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer



Last edited by maxodoble on Tue Jan 16, 2018 4:17 pm, edited 1 time in total.



Sun Jan 14, 2018 12:20 pm
Profile
Site Admin

Joined: Mon Dec 25, 2017 4:21 pm
Posts: 170
Post Re: Intel SA0086 and Spectre/Meltdown
Sent a PM with the relevant information.


Mon Jan 15, 2018 1:44 pm
Profile

Joined: Sun Jan 14, 2018 12:10 pm
Posts: 3
Post Re: Intel SA0086 and Spectre/Meltdown
tamir wrote:
Sent a PM with the relevant information.


o.k tried your suggestion: unsuccessful:

Code:
Initialise Flash module
Read current BIOS
Error: The EVSA region space is exhausted
Error 236...


so: what can be done to mitigate this problem?

Thanks


Tue Jan 16, 2018 11:37 am
Profile

Joined: Sun Jan 14, 2018 12:10 pm
Posts: 3
Post Re: Intel SA0086 and Spectre/Meltdown
thanks much,

your second suggestion via PM went through successfully.
intel tool shows now:

Code:
root@intense:/home/hra# python intel_sa00086.py
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.146
Scan date: 2018-01-16 16:09:08 GMT

*** Host Computer Information ***
Name: intense
Manufacturer: CompuLab
Model: Intense-PC
Processor Name: Intel(R) Core(TM) i7-3517UE CPU @ 1.70GHz
OS Version: debian 9.3  (4.9.0-5-amd64)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 8.1.72.3002
SVN: 0

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is not vulnerable. It has already been patched.

For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
  Intel Security Advisory Intel-SA-00086 at the following link:
  https://www.intel.com/sa-00086-support



I consider this matter resolved,
thanks again,

Max

P.S: Why not releasing the files and procedure publicly for all intense pc users?


Tue Jan 16, 2018 4:15 pm
Profile

Joined: Wed Aug 29, 2012 12:18 am
Posts: 66
Post Re: Intel SA0086 and Spectre/Meltdown [Solved]
How did you get past that bios flashing error?

Error: The EVSA region space is exhausted
Error 236...

I'm having that error.

I upgraded Ver 2 of bios to 3. But revert'd back to troubleshoot an issue. But it flash forward to ver 3 again. It error's out with that error. Even the ver 4 Tamir sent me that flashes with shellflash64.efi is giving me that error.

How did you get around the issue?


Wed Feb 07, 2018 11:18 pm
Profile
Display posts from previous:  Sort by  
Reply to topic   [ 5 posts ] 

Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by STSoftware for PTF.