IBM BigFix has released Task 3172 to help identifying machines affected by the Intel Firmware Vulnerability INTEL-SA-00086.
The Task is available on BES Support site version 1373 (and later) and can be used in conjunction with Analysis 3171 to identity and report about vulnerable systems. More details can be found in the Task description field.
We decided to make the fixlet relevant also on virtual systems in order to let users gain a picture of their environment, with machines were the tool provided an answer and machine that require further analysis because the tool is not effective.
If you want prevent the action to run on virtual systems, you can create a custom copy of the task and add a relevance condition like:
not exists true whose (if true then( (((item 0 of it contains “VMware”) or ((item 0 of it contains “Microsoft”) and not (item 1 of it as lowercase contains “surface”)) or (item 0 of it contains “Xen”)) of ((value “manufacturer” of it as string, value “product_name” of it as string) of structure “system_information” of smbios))) else false)
This is the same condition used internally by the action to detect if the system is virtual and generate a corresponding result that will be collected by the analysis.
Hi,
i tried this action but it did not work. I think the checksum for caching is not correct, for both files (SA00086_Windows.zip, SA00086_Linux.tar.gz)
Thanks Andreas
Intel has just updated the tool and the hashes are no longer matching. We are testing internally the new tool version and we plan to release an updated task soon. We will continue to monitor the Intel binaries and release task updates as needed.
There are no known issues with the current version of the task; the Intel tool may hang if you run it on virtual machines, or in case some requirements are missing, like the HECI driver. On how many targets do you have issues? What kind of OSes and Intel CPUs?
Yes, we are aware of the issue and we are testing the updated fixlet. Beside updating the hashes, we are also performing testing to verify if the tool behavior has changed in any way.
We had a customer scan roughly 5k Windows endpoints that had .NET 4.5 installed and all but a few hundred got back an exit code of 10. Any ideas on why and where to start troubleshooting?
As I responded to @kjhoffs in another way, the exit code of 10 is a catch all, past the .NET 4.5 check so we will need more information to know what is wrong which could be something due to airgaps or other things (as AirGap systems don’t get trusted root key updates easily for example)
As a workaround, you can create a custom copy of task 3172 and change the following lines:
in the Windows section, replace: prefetch SA00086_Windows.zip sha1:03064f9aaaa1da27b00ed50cabcefb3eb64e8c6d size:4114513 https://downloadmirror.intel.com/27150/eng/SA00086_Windows.zip sha256:0fad4453e142ef9f557abee8e6f6341f22da0295ecdd88c4f8927c8c2d437095
with: prefetch SA00086_Windows.zip sha1:d1554999879ed5a38e0d4fc45459bfcfaa999fab size:3476418 https://downloadmirror.intel.com/27150/eng/SA00086_Windows.zip
and in the Linux section, replace: prefetch SA00086_Linux.tar.gz sha1:223c76df0e4462f6ceb697faf611b1a31b5b6bf5 size:854946 https://downloadmirror.intel.com/27150/eng/SA00086_Linux.tar.gz sha256:2feb5be738b6cdfc59090fdc74ab4b6e4784b842241fc4ae00db8ee1fa118ef0
with: prefetch SA00086_Linux.tar.gz sha1:9e86965e1f58800b4e38568aa84763f377044161 size:972833 https://downloadmirror.intel.com/27150/eng/SA00086_Linux.tar.gz
Intel modified also the way the tool generates its output. While previously the XML tag System_Risk had all of its content on a single line, now the content is split into multiple lines, to improve readability for humans.
This makes our analysis fail on Linux. While on Windows we use the XML inspectors (xml document of <file>), these inspectors are only available in the recent versions of the Linux client.
For this reason, on Linux we use some pattern matching, that is sidetracked by having content split into multiple lines. It is thus necessary to modify also the properties of the analysis to something like:
if (windows of operating system) then ( if not exists file "SA00086\result.xml" of parent folder of regapp "BESClient.exe" then "" else concatenation " " of node values of child nodes of selects "/System/System_Status/System_Risk" of xml document of file "result.xml" of folder "SA00086" of parent folder of regapp "BESClient.exe" ) else ( if not exists file "/var/opt/BESClient/SA00086/result.xml" then "" else concatenation " " of (following text of first "<System_Risk>" of preceding text of last "</System_Risk>" of it) of (concatenation " " of (lines of file "result.xml" of folder "/var/opt/BESClient/SA00086") whose (line number of it >= (line number of line containing "<System_Risk>" of file "result.xml" of folder "/var/opt/BESClient/SA00086") ) ) )
where the main change is, on Linux:
concatenation " " of (lines of file "result.xml" of folder "/var/opt/BESClient/SA00086") whose (line number of it >= (line number of line containing "<System_Risk>" of file "result.xml" of folder "/var/opt/BESClient/SA00086") )
i.e. the concatenation of all the lines after the first <System_Risk> tag in order to concatenate on a single line the split lines, before applying the pattern matching.
We are going to publish both the updated Task and the updated analysis very soon.