Software Management Group

How to identify systems affected by the new Intel Management Engine vulnerabilities 

12-01-2017 09:09 PM

Background information about the Intel Chipset Vulnerabilities

Back in May 2017, external researchers identified a number of Critical Vulnerabilities affecting the Intel AMT firmware, as a result, Intel  performed an in-depth comprehensive review of their Intel Management Engine (ME), Intel Server Platform Services (SPS), and Intel Trusted Execution Engine (TXE)  which identified several other security vulnerabilities that could allow remote attackers to gain full control of a targeted computer, including access to system memory and network adapters as well as exposing valuable data. See Intel-SA-00086 which was first disclosed the 20th of November 2017.

First step to mitigate the risks of attack is to assess the level of exposure. Intel has released a detection tool which can be used in conjuntion with Altiris to automate the reporting. Once the data has been collected  we can quickly identify the systems affected which require a Firmware updates and evalutate the remediation efforts.

Here are the steps we are going to cover at very high level:

  1. Create a custom dataclass
  2. Import the Intel detection tool and create a Software resource
  3. Create the Managed Software Delivery Policy
  4. Create the Custom Report

     1. Create a Custom Dataclass

  • In the Altiris Console, click Settings, All Settings, . Then, expand Discovery and Inventory, Inventory Solution, Manage Custom Dataclasses.
  • Click on '* New Dataclass' and type Intel_SA_00086 in the Name field  (This must match the dataclass name assigned in the script below.) then click OK

  • Highlight the new dataclass and click "Add attribute". Enter a name and select or enter the appropriate Maximum size, set Key to "No", and click OK.
  • Repeat this for the 7 attribute/column we are collecting data for, until you end up with the following result:

  • Click Save Changes at the bottom of the Manage Custom Data Classes page.

     2. Download and import the Intel detection tool

  • Download and extract  the Intel-SA-00086 Detection Tool . This download contains two versions of the tool: the GUI and the command line one. We only need the second one which is an executable suitable to perform bulk discovery and saves the discovery information to the Windows registry.
  • Browse the extracted folder under C:\....\SA00086_Windows\DiscoveryTool then copy and paste the script below as MEInfo.vbs file, then place it in the same folder with the other binaries:
'* ======================================================================================'*
'* Script Name		: MEInfo.vbs
'* Purpose  		: Run IME diagnostic tool and send custom inventory
'* Notes			: N/A
'* Usage			: N/A
'* Modification Log	: N/A
'* Date					Author				Version				Change
'* 2017-Nov-20		Marcello D'Angelone		 1.0			
'* ======================================================================================'*
On Error Resume Next

Dim objShell
Dim objReg
const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."
strKeyPath1 = "SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool"
strKeyPath2 = "SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\Hardware Inventory"
strKeyPath3 = "SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\ME Firmware Information"
strKeyPath4 = "SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\System Status"
strValueName1 = "Scan Date"
strValueName2 = "Computer Name"
strValueName3 = "Computer Manufacturer"
strValueName4 = "Computer Model"
strValueName5 = "Processor"
strValueName6 = "ME Version"
strValueName7  = "System Risk"

strCommand = "Intel-SA-00086-console.exe -c"

Set objShell = CreateObject("Wscript.Shell") 
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")

'This line runs Intel-SA-00086-console.exe, 0: hide the Window, True: Wait for the command to complete
return = objShell.Run(strCommand, 0, True)
If Err.Number = 0 Then 

'Get the sring values created by the discovery tool
objReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath1,strValueName1,strScanDate
objReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath1,strValueName2,strCompName
objReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath2,strValueName3,strOEM
objReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath2,strValueName4,strModel
objReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath2,strValueName5,strCPU
objReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath3,strValueName6,strMEVersion
objReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath4,strValueName7,strStatus

'WScript.Echo strScanDate
'WScript.Echo strCompName
'WScript.Echo strOEM
'WScript.Echo strModel
'WScript.Echo strCPU
'WScript.Echo strMEVersion
'WScript.Echo strStatus

Else
WScript.Quit(1)
End if


'----------------------------------------
'Create instance of Altiris NSE component
'----------------------------------------
dim nse
set nse = WScript.CreateObject ("Altiris.AeXNSEvent")

' Set the header data of the NSE
' Please don't modify this GUID
nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"
nse.Priority = 1

'Create Inventory data block. Here assumption is that the data class with below guid is already configured on server
'Otherwise, create a new data class on the NS and then put that GUID here
dim objDCInstance
set objDCInstance = nse.AddDataClass ("Intel_SA_00086")
'-----{d37ee051-4729-4bfe-84f7-69599747e346}
dim objDataClass
set objDataClass = nse.AddDataBlock (objDCInstance)

'Add a new row
dim objDataRow
set objDataRow = objDataClass.AddRow
'Set columns
objDataRow.SetField 0, strScanDate
objDataRow.SetField 1, strCompName
objDataRow.SetField 2, strOEM
objDataRow.SetField 3, strModel
objDataRow.SetField 4, strCPU
objDataRow.SetField 5, strMEVersion
objDataRow.SetField 6, strStatus

nse.SendQueued

'Wscript.Echo "Done Posting NSE"

Set objShell = Nothing
Set objReg = Nothing
  • Now you need to create a software resource with altiris. In the Symantec Management Console Select Manage > Software Catalog When the Software Catalog opens select Import then select Add file
  • Browse to the location where you extracted the detection tool and select all files (the folders containing the language dll need to be created separately). Select Create Folder name it "en" then Select Add file again and browse the en folder where the Intel-SA-00086-console-DLL.resources.dll is located.
  • Finally select MEinfo.vbs and click "Set Installation File". You should end up with something simlar depicted in the screeenshot below:

  • Click next then on the Software Details window Type a Company name and Version then click OK, review the package details then click OK again to close the software resource window.

 

    3. Create the Managed Software Delivery policy

  1. In the Symantec Management Console, on the Manage menu, click Policies.
  2. In the left pane, under Policies, expand Software > Managed Software Delivery.
  3. In the left pane, right-click the Managed Software Delivery folder, and then click New > Managed Software Delivery.
  4. In the right pane, click and type over the following text: " Windows Custom Inventory - Intel ME Info" add a description if you whish do so.
  5. Under Policy Rules/Actions, on the Software tab, click Add. On the Add menu, select Software and Search for the MEInfo.vbs created earlier.
  6. Click Advanced options to display and change additional settings, Select Run Tab and uncheck "Allow user to interact with installing software" option, then click OK
  7. Expand the Applied to section to add or change the delivery destinations. See About the destinations for a Managed Software Delivery policy.
  8. Expand the Schedule section to define the delivery schedule. See Schedule settings for Managed Software Delivery.
  9. Turn on the policy. At the upper right of the page, click the colored circle and then click On.
  10. At the bottom of the page, click Save changes. (see Below)

       4. Create the Custom SQL Report

         The custom dataclass already contains most of the information required, you may want to customize further i.e adding the primary user assigned to each host name like in the example below:

select distinct
ime.compname as [Computer Name],
vc.Domain,
vc.[User],
vc.[OS Name],
ime.[OEM],
ime.[Model],
ime.[MEVersion],
Ime.[Status],
ime.[ScanDate], 
DATEDIFF(dd,ai.[Client Date],GETDATE())as [Days since Last Basic Inventory]

from vcomputer vc
Left join Inv_Intel_SA_00086 ime
on vc.Guid = ime._Resourceguid
Left join Inv_AeX_AC_Identification ai
on ai._ResourceGuid = vc.Guid

order by ime.ScanDate desc
  • To create a custom SQL report open the Altiris console and go to Reports>All Reports.
  • Right-click on the folder where the custom report should be created and select New>Report>SQL Report.
  • The new report's edit menu will appear in the right pane. Delete the default query under Parameterized Query and paste in the query above. Give the report an appropriate name and then click Save Changes.

Once you have determined te level of exposure of your fleet, you will have a better understanding on the effort required for the remediation. The tricky part is to install the Firmware on each endpoint See https://www.intel.com/content/www/us/en/support/articles/000025619/software.html for further details.


Computer manufacturers are publishing information specific to their products, including availability of firmware updates. Advisories for some major manufacturers can be found at the following websites:

 

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

02-02-2018 11:24 AM

Thanks for sharing this Marcello!

02-02-2018 11:14 AM

Quick update,

I have been notified that the newer version of the Intel-SA-00086 Detection Tool contails all the dlls so you just need to import a single binary, which has the same name of the original one Intel-SA-00086-console.exe

Since the name of the exe is the same you don't need to modify the custom inventory script.

Related Entries and Links

No Related Resource entered.