Intel SA0086 and Spectre/Meltdown [Solved]

Find Intense PC news at https://plus.google.com/+Fitpc-by-compulab/
Post Reply
maxodoble
Posts: 3
Joined: Sun Jan 14, 2018 12:10 pm

Intel SA0086 and Spectre/Meltdown [Solved]

Post by maxodoble »

Hi,

just ran the official intel checker tool (intense pc pro), and according to the tool the intense pc is vulnerable.

1) Will there be a BIOS Update (latest is from mid 2017) to mitigate intel SA00086?

2) What's the status regarding Meltdown/Spectre?

Thanks for any info about these nasty topics,

Max

---tool output 1

Code: Select all

#root@intense:/home/hra# python intel_sa00086.py 
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.146
Scan date: 2018-01-14 12:04:10 GMT

*** Host Computer Information ***
Name: intense
Manufacturer: CompuLab
Model: Intense-PC
Processor Name: Intel(R) Core(TM) i7-3517UE CPU @ 1.70GHz
OS Version: debian 9.3  (4.9.0-5-amd64)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 8.1.71.3608
SVN: 0

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is vulnerable.
Explanation:
The detected version of the Intel(R) Management Engine firmware
  is considered vulnerable for INTEL-SA-00086.
  Contact your system manufacturer for support and remediation of this system.

For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
  Intel Security Advisory Intel-SA-00086 at the following link:
  https://www.intel.com/sa-00086-support
tool output 2:

Code: Select all

./spectre-meltdown-checker.sh 
Spectre and Meltdown mitigation detection tool v0.29

Checking for vulnerabilities against running kernel Linux 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64
CPU is Intel(R) Core(TM) i7-3517UE CPU @ 1.70GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  UNKNOWN 
> STATUS:  UNKNOWN  (couldn't check (missing 'readelf' tool, please install it, usually it's in the 'binutils' package))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

Last edited by maxodoble on Tue Jan 16, 2018 4:17 pm, edited 1 time in total.

tamir
Site Admin
Posts: 419
Joined: Mon Dec 25, 2017 4:21 pm

Re: Intel SA0086 and Spectre/Meltdown

Post by tamir »

Sent a PM with the relevant information.

maxodoble
Posts: 3
Joined: Sun Jan 14, 2018 12:10 pm

Re: Intel SA0086 and Spectre/Meltdown

Post by maxodoble »

tamir wrote:Sent a PM with the relevant information.
o.k tried your suggestion: unsuccessful:

Code: Select all

Initialise Flash module
Read current BIOS
Error: The EVSA region space is exhausted
Error 236...
so: what can be done to mitigate this problem?

Thanks

maxodoble
Posts: 3
Joined: Sun Jan 14, 2018 12:10 pm

Re: Intel SA0086 and Spectre/Meltdown

Post by maxodoble »

thanks much,

your second suggestion via PM went through successfully.
intel tool shows now:

Code: Select all

root@intense:/home/hra# python intel_sa00086.py 
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.146
Scan date: 2018-01-16 16:09:08 GMT

*** Host Computer Information ***
Name: intense
Manufacturer: CompuLab
Model: Intense-PC
Processor Name: Intel(R) Core(TM) i7-3517UE CPU @ 1.70GHz
OS Version: debian 9.3  (4.9.0-5-amd64)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 8.1.72.3002
SVN: 0

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is not vulnerable. It has already been patched.

For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
  Intel Security Advisory Intel-SA-00086 at the following link:
  https://www.intel.com/sa-00086-support

I consider this matter resolved,
thanks again,

Max

P.S: Why not releasing the files and procedure publicly for all intense pc users?

emurach
Posts: 67
Joined: Wed Aug 29, 2012 12:18 am

Re: Intel SA0086 and Spectre/Meltdown [Solved]

Post by emurach »

How did you get past that bios flashing error?

Error: The EVSA region space is exhausted
Error 236...

I'm having that error.

I upgraded Ver 2 of bios to 3. But revert'd back to troubleshoot an issue. But it flash forward to ver 3 again. It error's out with that error. Even the ver 4 Tamir sent me that flashes with shellflash64.efi is giving me that error.

How did you get around the issue?

Post Reply

Return to “General Intense PC questions”