C3 provides Fixlet/Analysis for Intel SA 00075 (Intel Management Engine Vulnerability)

Hello!

Just wanted to drop a note about a quick-release of a Fixlet/Analysis for detecting Intel SA 00075: Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege.

This requires the use of a probe first:
Invoke - Intel SA 00075 Probe - Windows

The results are then available in an Analysis and a Warning Fixlet
Vulnerabilities - Intel SA 00075 - Windows
Warning - Intel Management Engine Vulnerability SA 00075 Exposure - Windows

You can then remediate the Vulnerability with the following Fixlets:
Invoke - Intel SA 00075 Unprovision Active Management Technology - Windows
Invoke - Intel SA 00075 Remove Local Management Service - Windows

To use this content simply:

1. Action the Fixlet: Invoke - Intel SA 00075 Probe - Windows against your devices. This populates some information in the Registry.
2. Activate the Analysis: Vulnerabilities - Intel SA 00075 - Windows. This will populate with Vulnerable and Exposed information for your endpoints.
3. Use the Fixlet: Invoke - Intel SA 00075 Unprovision Active Management Technology - Windows to unprovision AMT on the Computers.
4. Reboot the Computers and re-run the Probe.
5. Use the Fixlet: Invoke - Intel SA 00075 Remove Local Management Service - Windows to remove the LMS Service

The reason you should reboot between un-provisioning AMT and removing LMS is to verify that AMT has been unprovisioned prior to removing LMS per-Intel’s remediation guide. You cannot reliably run the Intel SA 00075 Probe after un-provisioning until a reboot has occurred per-Intel’s Unprovisioning guide.

You can also access these on Github in the C3 Inventory repository.

Please don’t hesitate to reach out if you have any issues or suggestions for this content!

Bill

Nice work! I was just about to do something similar.

Related:

• https://www.bigfix.me/fixlet/details/23930
• https://bigfix.me/analysis/details/2995830
• https://bigfix.slack.com/archives/C03U4LJHU/p1494345625064750

Thanks for making this available for us!
If I understand correctly the probe would download INTEL SA 00075 to all computers as it only checks if its windows and has Intel processor, but isn’t there a relevance to just check if INTEL SA 00075 is already installed first?

Hi,

I can utility cache the zip if you’re concerned about repeat downloads but as far as I can tell you can’t install the Intel tool? It seems to be a bunch of executables in a zip – is there an installer?

Bill

Hi,

it is possible that some servers already have the Intel SA 00075 and I’m trying to check that with relevance, like:

exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\ME Firmware Information” of registry

Actually I didn’t know if there is an installer or not. But it definitely needs to output to the registry right?
That’s all my concern and I’m grateful you wrote this fixlet and launched the topic

So that is just the results of the last scan. Unfortunately Intel doesn’t pop the Exposed/Vulnerable information into the registry – you only get that information from the command line output.

You will need to re-run the scan periodically to capture newly vulnerable/exposed machines as well as patched/remediated machines.

This Fixlet runs the tool with command line output, gathers the vulnerable/exposed result into the registry, and makes that info available for the analysis. For this reason just running the original tool isn’t enough to pull the data into BigFix.

The Tool itself just puts the versions of the components and service states into the registry – if someone knows the exact combo of components and service states that yield exposed and vulnerable then we can start using the output from the original tool