How to mitigate issues with Intel Management Engine


Marcel

Recommended Posts

Hi all,

 

last year's issues with Intel's Management Engine have been handled differently by different mainboard manufacturers.

While some include a fix within a BIOS upgrade, ASUS supplies an executable for Windows 10 to fix the ME.

 

Here is my problem: I am running an unRAID server as a host for multiple Windows 10 VMs.

Within a VM even the detection tool for the vulnerability, supplied by Intel, does not work as it claims the ME is not accessible.

 

So I tried to put the ME drivers, the detection tool and the fix onto a Windows 10 PE installation on a flash drive. That did not work either. All executables report "wrong Windows version".

Finally I also got a Linux version of the detection tool from Intel (just a Python script) and ran that in a terminal directly within unRAID.

It ran but reported "no access to the ME" - same problem as from within a Windows VM.

 

So here is my question:

how can I fix these Intel ME issues on a system running unRAID?

I don't suppose the Linux kernel is somehow taking care of it?

 

My only idea at this point is to create a Windows installation on a HDD and boot the system from that (with the unRAID flash drive not plugged in).

But that seems to be too much effort just to install a tiny patch.

 

Anybody knows more or has a better idea?

 

Cheers,

Marcel

 

 

Link to comment

@tdallen: thanks for the quick reply! :)

 

I don't see what a Linux distro on a USB stick would help at all.

The tool from ASUS to actually fix the Intel ME is only available for Windows anyway. Also I did get the detection tool to run under unRAID just as well. The question is why it reported not having access to the ME.

 

My main question was more directed at understanding if unRAID with the latest Linux kernel is already doing something about the Intel ME vulnerabilities or if not what LimeTech's idea on how to fix it is.

 

Cheers,

Marcel

Link to comment
  • 3 weeks later...

The Intel ME vulnerabilities require a BIOS fix. If your motherboard is still receiving BIOS updates, update your BIOS.

 

If, like most people (i assume), you're running unRAID on older hardware which no longer gets BIOS updates there are a still a few things you can do.

 

1. The most worrying aspect of Intel ME vulnerabilities is that you can be remotely exploited since Intel allows direct access to the ME through NIC integration (something AMD doesn't do). Fortunately, it seems that simply using a secondary NIC (e.g. from a PCI-e NIC card) mitigates this issue, since the ME is only configured to communicate through the built in NIC.

 

2. It may also be possible to fully disable and/or remove Intel ME from your system using ME_Cleaner. Originally ME_Cleaner simply deleted most of the ME partition from the bios and left only what was necessary for booting. Recently, however, it has integrated a soft_disable functionality which simply sets a specific flag in the ME firmware to "1" which prevents ME from loading (interestingly, the NSA was behind forcing Intel to include this hidden flag so they could disable ME on their computers). I've used ME_Cleaner on a couple of computers (both with soft-disable and full removal) and never had any problems. However, it's a pretty complicated procedure requiring external flashing of the bios chip using something like a raspberry pi (you'll need to buy a soic clip and some short wires).

 

3. Assuming your unRAID box is behind a NAT firewall, you can also simply block access to ports 16992-16993 (which are the ports Intel ME listens on). 

 

EDIT: For clarity, the Asus Intel ME update tool updates the Intel ME firmware partition independent of the rest of the BIOS. I really wouldn't try to run it through a VM. You can try something like this instead: https://www.flamingspork.com/blog/2017/11/22/updating-windows-management-engine-firmware-on-a-lenovo-without-a-windows-install/

Edited by death.hilarious
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.