How can I run the INTEL -SA -00075 discovery tool via K1000?
In case you haven't heard, there is a pretty bad remote hijacking flaw impacting Intel. Intel created a discovery tool that you can run on the network to determine which systems are impacted (I already know several of our Dell desktops are). The tool comes as a .zip file with a some files in it including one called Intel-SA-00075-console.exe. When you run this tool, it creates a new registry key under HKLM\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool that stores the results of the scan. You can also store the results in an XML file in the directory that the Intel-SA-00075-console.exe file executed from using one of the command line options. There's quite a bit of output and you have to look at to see if your system is vulnerable (not just 1 line of output).
If you are running Intel SCS suite then it looks like you can get the results in your management console, but I am not. I figured this would be a perfect thing to use the K1000 for but I really don't know where to start. I know I need to deploy this software to each PC on my network, run it, then have a report to collect the results.
Has anyone begun tackling this yet?
References:
Slashdot: https://hardware.slashdot.org/story/17/05/07/2034245/intels-remote-hijacking-flaw-was-worse-than-anyone-thought
Intel: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
Intel Detection Guide: Intel detection guide PDF
TIA...
If you are running Intel SCS suite then it looks like you can get the results in your management console, but I am not. I figured this would be a perfect thing to use the K1000 for but I really don't know where to start. I know I need to deploy this software to each PC on my network, run it, then have a report to collect the results.
Has anyone begun tackling this yet?
References:
Slashdot: https://hardware.slashdot.org/story/17/05/07/2034245/intels-remote-hijacking-flaw-was-worse-than-anyone-thought
Intel: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
Intel Detection Guide: Intel detection guide PDF
TIA...
16 Comments
[ + ] Show comments
Answers (1)
Please log in to answer
Posted by:
shells
7 years ago
Also, is the ACUConfig.exe only available if you have Intel SCS (which I don't). Correct me if I am wrong but Intel SCS is something you have to pay for?
Sorry if these are basic questions this is the first time I have ever heard of any of these services. Thx. - shells 7 years ago
I have been googling on and off all day and I came across this article which does a much better job of explaining the process of disabling AMT.
https://mattermedia.com/blog/disabling-intel-amt/
But I still need to figure out which machines on my network are vulnerable. - shells 7 years ago
http://i.imgur.com/DeaZkwU.png
I threw in the firewall rules just to be sure. Though, confusion whether that matters, since AMT hardware is sort of independent.
Then I ran the detection tool from intel:
http://i.imgur.com/22GbcoF.png
That creates a XML on the local machine. I then wrote a batch file to copy all of the XML's to a central place and used excel to correlate the 200 or so files into a spreadsheet I could do something with.
http://i.imgur.com/MeyxD5Q.png
Detection results are spotty. If you didn't do things in exactly the right order, it won't show as unprovisioned. Like if you get rid of the LMS first. Then you can't unprovision. I had issues when trying the ACUConfig tool. More success with the unprovisionTool.
Hopefully this will hold til 17th/24th, when new bios updates come out for my models.
http://en.community.dell.com/techcenter/extras/m/white_papers/20443914 - five. 7 years ago
I found in the reports under devices "amt configured" i set that to TRUE and get no results. If I set it to not true, I get a lot of results. But, I know for a fact that I have about 20 machines showed "vulnerable" when we ran the the Intel discovery GUI tool.
This leads me to believe that if Intel AMT is present probably needs to just be disabled completely until bios update.
I just went through all the smart label choices to look for something that checks for running services (like LMS) but I didn't see anything. I do see the same choices I had for reports but I didn't see specifically AMT enabled as a choice anywhere. - shells 7 years ago
http://i.imgur.com/JD9mgCG.png
Once you've done your search, you can select the machines and do Choose Action - Apply Label. Note this is a static label, not a smart label.
http://i.imgur.com/cHotERJ.png
You can also create a smart label, steps to do that are below. Same search criteria as before.
http://i.imgur.com/Pmp5le9.png - five. 7 years ago
I was confusing myself thinking I needed to create a managed install. I didn't realize that a script allowed you to just attach the file (hand smashing forehead).
Some of my systems dont have LMS but they show up in the smart label. So the unprovisiontool is showing those as failures because its getting hung up on these lines. I'll have to play with this a bit more.
For the detection scan, I had to put a line in to unzip the file (not sure why). When the file was unzipped the Intel-SA-00075.exe was not in the top level KACE_DEPENDENCY_DIR, it was under KACE_DEPENDENCY_DIR\Windows.
Same for the .xml creation, it put the file under KACE_DEPENDENCY_DIR\Windows.
Everything is working like a champ so I'll be testing this on more systems Monday (i'm out of town starting tomorrow). - shells 7 years ago
In my environment all the machines run as users, not as admins and UAC is turned on. So we have to use scripts for everything and not managed installs. - five. 7 years ago
So if LMS is not running as a service, then I don't need to worry about all this and just apply the bios upgrade when it comes out? - shells 7 years ago
Status: Pre Provisioning
Configuration Mode: Enterprise Mode
Control Mode: None
Should we still be running the unprovisioning? Does it have to provisioned and running LMS as a service? How do I know if I need to take action? - greggel 7 years ago
I suspect the status of "pre provisioning" just means you aren't using AMT (like me) and if we were actually using it we would have a status of configured or something along those lines.
My plan is to upgrade BIOS on the ones that are showing vulnerable. The systems that show they are ok, I'll leave them alone. - shells 7 years ago