ML10 Gen9 - latest Intel ME - Vulnerable - as of 21 March 2018

Hi  PaulP-Cambs 

Officially of HPE, have this information about vulnerabilyt 

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesb3p03767en_us

All Bouletins - https://support.hpe.com/portal/site/hpsc/public/kb/secBullArchive

If necessary more informatio do you can report to more information - https://www.hpe.com/h41268/live/index_e.aspx?qid=11503

Hi

That vulnerability appears to relate to the BIOS - I've already patched the BIOS to 1.11.

As far as I can tell the latest Intel ME available is 11.6.27.3264(23 May 2017) here:

https://support.hpe.com/hpsc/swd/public/detail?sp4ts.oid=1008772172&swItemId=MTX_67a275408a9b45aba72ad7cbc1&swEnvOid=4184

Intel's test for Intel ME vulnerabilities returns a result of vulnerable which suggests there should be a patch in HPE's pipeline - Ideally 11.8.50.3425 or higher as per advisory:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

Intel® Xeon® Processor E3-1200 v5 Product Family
Recommended: Intel® ME 11.8.50.3425 or higher
Minimum: Intel® ME 11.8.50.3399
Intel® SPS 4.1.4.054

Any idea when it might be made available please?

As this is still currently being sold - is it being sold with a known vulnerability for which there is an Intel patch that it doesn't have, or is Intel's patch just not being made available existing owners?

Or is there some other mitigation for the vulnerability Intel report?

Makes Lenovo's TS150 look more attractive for my next purchase - while the Lenvo costs more from my reseller, Lenovo have made the patches available, and worth noting also for their legacy TS140 E-1226v3 which I do have and is patched!