On November 22, I reported a security flaw for the Intel Management Engine interface (aka MEI). On Wednesday afternoon, my motherboard vendor, Asrock, posted an MEI update for the affected system’s motherboard. After I downloaded and applied that fix, it was unclear if that fix did the trick. That’s why I entitled this blog post “More MEI Weirdness.” Even after Asrock’s APP Shop auto-update applied, Intel still reported the system vulnerable.
How More MEI Weirdness Manifests, Then Gets Fixed
Here’s what makes the situation weird. Device Manager says my MEI driver version is 184.108.40.2065, dated 10/3/17. The Intel scanning tool says I’m still vulnerable, but reports the version as 220.127.116.116, dated 9/1/16. I’m not sure if that report is valid, given that the update presumably patches this vulnerability. However, when I check around online I find an Asrock web page named “Intel Firmware Vulnerability Intel-SA-00086.” It not only matches the ID for Intel’s security advisory, it also includes a firmware update tool to a different MEI version — namely 18.104.22.16825.
This installs on my production system like a champ. And when I run the Intel detection tool again, Intel-SA-00086-GUI.exe, it says the vulnerability is patched. Asrock may have issued the initial fix to address some other kind of problem. OTOH, the fix it issued through APP Shop may be the wrong one, or not working properly. I can’t tell.
Whatever the cause of the initial weirdness, the system is no longer vulnerable to this exploit. Interestingly, the Intel SA86 error check tool still reports the Intel Management Engine at version 22.214.171.1246. Device Manager still shows it as 126.96.36.1995. I’m wondering if that means the Intel tool is reading firmware that’s different from the driver info that Windows 10 maintains. I just don’t know what’s up with that.
Thus, some degree of weirdness continues. But because the Intel tool gives my system a clean bill of health, I’m content to let it ride without trying to fix things further. I may try to figure out how to clear the error message about the Capability Licensing Service Client, though…