/build/static/layout/Breadcrumb_cap_w.png

Scripting Question


How can I run the INTEL -SA -00075 discovery tool via K1000?

05/08/2017 3330 views
In case you haven't heard, there is a pretty bad remote hijacking flaw impacting Intel.  Intel created a discovery tool that you can run on the network to determine which systems are impacted (I already know several of our Dell desktops are).  The tool comes as a .zip file with a some files in it including one called Intel-SA-00075-console.exe.  When you run this tool, it creates a new registry key under HKLM\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool that stores the results of the scan.  You can also store the results in an XML file in the directory that the Intel-SA-00075-console.exe file executed from using one of the command line options.  There's quite a bit of output and you have to look at to see if your system is vulnerable (not just 1 line of output). 

If you are running Intel SCS suite then it looks like you can get the results in your management console, but I am not.  I figured this would be a perfect thing to use the K1000 for but I really don't know where to start.  I know I need to deploy this software to each PC on my network, run it, then have a report to collect the results. 

Has anyone begun tackling this yet? 

References:
Slashdot:  https://hardware.slashdot.org/story/17/05/07/2034245/intels-remote-hijacking-flaw-was-worse-than-anyone-thought
Intel:  https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
Intel Detection Guide:  Intel detection guide PDF

TIA...
16 Comments   [ + ] Show comments

Comments

  • I'm going to create a smart label for computers with the LMS service. Then I will create a Kscript to run ACUConfig.exe UnConfigure, followed by sc config LMS start= disabled and sc delete LMS
  • Thanks for the response. I spot checked a few systems and see LMS running as a service. Will deleting that service take care of the issue? If so, what is impacted by removing it?

    Also, is the ACUConfig.exe only available if you have Intel SCS (which I don't). Correct me if I am wrong but Intel SCS is something you have to pay for?

    Sorry if these are basic questions this is the first time I have ever heard of any of these services. Thx.
  • I'm not familiar with Intel AMT either. I also noticed 2 builtin reports in the K1000 which show which machines have Intel AMT and also the status.
  • Hmmm, I did not see any bulletins on my K1000. What version are you running? I am on an older version 6.4.

    I have been googling on and off all day and I came across this article which does a much better job of explaining the process of disabling AMT.

    https://mattermedia.com/blog/disabling-intel-amt/

    But I still need to figure out which machines on my network are vulnerable.
  • The latest 7.1. The reports module has 2 Intel AMT reports.
  • This is the way that I did it. Pretty much what @flip1001 said. I created a smart label that said Intel AMT enabled = TRUE. That was the subset I ran everything against. Instead of doing the ACUConfig, I used the unprovisionTool that Intel released and did the other steps in the mitigation guide.
    http://i.imgur.com/DeaZkwU.png

    I threw in the firewall rules just to be sure. Though, confusion whether that matters, since AMT hardware is sort of independent.

    Then I ran the detection tool from intel:
    http://i.imgur.com/22GbcoF.png

    That creates a XML on the local machine. I then wrote a batch file to copy all of the XML's to a central place and used excel to correlate the 200 or so files into a spreadsheet I could do something with.
    http://i.imgur.com/MeyxD5Q.png

    Detection results are spotty. If you didn't do things in exactly the right order, it won't show as unprovisioned. Like if you get rid of the LMS first. Then you can't unprovision. I had issues when trying the ACUConfig tool. More success with the unprovisionTool.

    Hopefully this will hold til 17th/24th, when new bios updates come out for my models.
    http://en.community.dell.com/techcenter/extras/m/white_papers/20443914
  • five - thank you, the screen shots really help out. I am still tripping up on the smart label though and I don't know why.

    I found in the reports under devices "amt configured" i set that to TRUE and get no results. If I set it to not true, I get a lot of results. But, I know for a fact that I have about 20 machines showed "vulnerable" when we ran the the Intel discovery GUI tool.

    This leads me to believe that if Intel AMT is present probably needs to just be disabled completely until bios update.

    I just went through all the smart label choices to look for something that checks for running services (like LMS) but I didn't see anything. I do see the same choices I had for reports but I didn't see specifically AMT enabled as a choice anywhere.
  • I can send screenshots tomorrow, but I just did an advanced search on the inventory screen. For the field I started typing AMT and one of them said enabled. I chose true and created a label from there.
    • This content is currently hidden from public view.
      Reason: Removed by member request For more information, visit our FAQ's.
  • I was wrong it says "AMT Supported", not configured.
    http://i.imgur.com/JD9mgCG.png

    Once you've done your search, you can select the machines and do Choose Action - Apply Label. Note this is a static label, not a smart label.
    http://i.imgur.com/cHotERJ.png

    You can also create a smart label, steps to do that are below. Same search criteria as before.
    http://i.imgur.com/Pmp5le9.png
  • YES! that worked... Now I will go put all the pieces together and let you know if it worked. THANK YOU!!!!
  • I got a little tripped up on a couple things but I think I have it all sorted now.

    I was confusing myself thinking I needed to create a managed install. I didn't realize that a script allowed you to just attach the file (hand smashing forehead).

    Some of my systems dont have LMS but they show up in the smart label. So the unprovisiontool is showing those as failures because its getting hung up on these lines. I'll have to play with this a bit more.

    For the detection scan, I had to put a line in to unzip the file (not sure why). When the file was unzipped the Intel-SA-00075.exe was not in the top level KACE_DEPENDENCY_DIR, it was under KACE_DEPENDENCY_DIR\Windows.

    Same for the .xml creation, it put the file under KACE_DEPENDENCY_DIR\Windows.

    Everything is working like a champ so I'll be testing this on more systems Monday (i'm out of town starting tomorrow).
  • Yea. I had prepared the zip file to eliminate the nested windows directory. If you haven't provisioned or installed LMS, it would have issues probably. But I don't think those machines would be at risk, so nothing to worry about.

    In my environment all the machines run as users, not as admins and UAC is turned on. So we have to use scripts for everything and not managed installs.
  • Good to know. I did spot check some more machines and the Intel detection tool comes back as "vulnerable" but LMS is not running as a service (we do not provision it). However on my new laptop, it was there which was a Dell image.

    So if LMS is not running as a service, then I don't need to worry about all this and just apply the bios upgrade when it comes out?
  • That's my take on it. I think it comes out tomorrow at this point.
  • So if our Intel AMT are in:

    Status: Pre Provisioning
    Configuration Mode: Enterprise Mode
    Control Mode: None

    Should we still be running the unprovisioning? Does it have to provisioned and running LMS as a service? How do I know if I need to take action?
    • I can't answer your question but I'll offer my opinion... while my machines are not directly exploitable, they do show vulnerable. So, I will be upgrading the BIOS on all these systems so that other potential exploits don't leverage this security flaw down the road.
      • are your machines showing similar stats on the k1000? - status: pre provisioning is what I am worried about. Running the checker on a few machines of ours did not come up vulnerable.
  • Yes, in my K1000 all my systems show the same status as yours. In my case, the older systems are showing vulnerable whereas some of my newer laptops are showing that they are NOT vulnerable.

    I suspect the status of "pre provisioning" just means you aren't using AMT (like me) and if we were actually using it we would have a status of configured or something along those lines.

    My plan is to upgrade BIOS on the ones that are showing vulnerable. The systems that show they are ok, I'll leave them alone.

All Answers

-1
I consider this "answered".  Thanks to five for all the help and flip1001 for the initial response.  Now I have to go work on my BIOS update script :-)
Answered 05/16/2017 by: shells
Senior White Belt

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ