Posted on

Intel Management Engine Vulnerability Update

Last Updated On February 05, 2018
You are here:

Updated: February 5th, 2018

This is an update to a previously posted Knowledge Base article.

Protectli is aware of the recently published Intel® ME/TXE/SPS Elevation of Privileges vulnerabilities and we have been working diligently to address / mitigate these vulnerabilities on affected platforms.  The impacted platforms do include chipsets that Protectli uses in our Vault products. The only Protectli products which are vulnerable are the FW6 Series. We now have a BIOS update that fixes the issue on the FW6 Series. Further details are below.

We have tested each of our products using Intel’s vulnerability assessment tool Intel-SA-00086 Detection Tool and have found that some of our products are not vulnerable, but others are:

Products tested which are NOT vulnerable:

FW1 Series (Intel® J1900 CPU)

FW2 Series (Intel® J1800 CPU)

FW4 Series (Intel®E3845 CPU)

Bay Trail CPU’s (each of those noted above) do NOT have Intel® ME, SPS, or TXE and additionally tested “Not Vulnerable” with Intel’s Detection Tool (here).

Products tested which are potentially vulnerable:

FW6A Series (Intel 3865U CPU)

FW6B Series (Intel 7100U CPU)

FW6C Series (Intel 7200U CPU)

We have tested these models with Intel’s vulnerability assessment tool (Intel-SA-00086 Detection Tool) and they do report potential vulnerabilities.  We have an updated BIOS which addresses the vulnerabilities and now reports “not vulnerable”. See this link for instructions on how to update the FW6 Series BIOS to address these issues.

It is important to note that even without the updated BIOS, as per Intel’s guidance, only one of the identified vulnerabilities (CVE-2017-5712) is exploitable remotely over the network in conjunction with a valid administrative Intel® Management Engine credential. The vulnerability is not exploitable if a valid administrative credential is unavailable.

As a result, exposure in Protectli’s products is low-risk, provided that the user keeps their device under their physical control. However, Protectli recommends a BIOS update despite the low-risk nature of the vulnerability.

For further information, or if there are any questions, please feel free to reach out to Protectli Support.