Does IBM have plans to create a Fixlet for this, or any has anyone created content they are willing to share ?
Intel have provided a detection tool for both Windows and Linux - https://downloadcenter.intel.com/download/27150
Thanks !
Yes, I am interested as well.
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
Strawgate created one for SA00075. See-
C3 provides Fixlet/Analysis for Intel SA 00075 (Intel Management Engine Vulnerability)
and
C3-Inventory
Will try editing to reflect current vulnerability. Thanks
/subscribe
[padding]
@strawgate Bill is this something you can help with ?
Im running into issues with the analysis due to the naming of the .xml file that SA-00086 creates. 0075 simply named it the computer name.XML but 00086 is naming it SA-00086- COMPUTERNAME-YEAR-MONTH-DAY-HOUR-MIN-SEC.XML. Has anyone overcome this?
Iâm assuming you are referring to Linux as the Windows tool âshouldâ write status to registry and/or file named computername.xml and log.
Heres a working Linux task. If anyone has working Windows content, grateful if you could share as the one I have created is hit and miss depending on whether itâs executed via BigFix, SCCM or interactively.
Youâll need to download and cache the SA00086_Lx.tar.gz file for this to work.
// Delete tmp/intel directory
wait /bin/sh -c â(cd /tmp/ && rm -rf intel/)â
//Make /tmp/intel directory
wait /bin/sh -c â(mkdir -p /tmp/intel/)â
//Download Binaries to tmp directory
prefetch fc59bb7ef57bf645886a2433fdab9e89d06b1e75 sha1:fc59bb7ef57bf645886a2433fdab9e89d06b1e75 size:862711 http://myserver:myport/Uploads/fc59bb7ef57bf645886a2433fdab9e89d06b1e75/SA00086_Lx.tar.gz.tmp sha256:2a87ed7271d1af8ae40f4bf1cfbae2088296679302ef350aad150eeb0f5e3c1c
extract fc59bb7ef57bf645886a2433fdab9e89d06b1e75 /tmp/intel/
//Unpack the tar.gz
wait /bin/sh -c âtar -zxvf /tmp/intel/SA00086_Lx.tar.gz -C /tmp/intel/â
// Change shell script permissions to execute
wait /bin/sh -c â(cd /tmp/intel/SA && chmod +x intel_sa00086.py)â
// Run the script
wait /bin/sh -c â(cd /tmp/intel/SA && ./intel_sa00086.py)â
//Copy results to BESClient Dir
wait /bin/sh -c â(cp /tmp/intel/SA/*.log /var/opt/BESClient/intel_results.txt)â
// Delete tmp/intel directory
wait /bin/sh -c â(cd /tmp/ && rm -rf intel/)â
The property to read the output is -
if (exists file âintel_results.txtâ of folder â/var/opt/BESClientâ) then (following text of first "Status: " of lines of file âintel_results.txtâ of folder â/var/opt/BESClientâ) else âN/Aâ
I had some trouble getting the SA-00086 utility to run out of __Download, and I also found that the working directory couldnât be __Download (I donât really understand the behavior, but Iâve seen it in other installers).
The basic task to run the utility looks like this (after it downloads)
createfile until EOF
cd "C:\Temp\Intel"
"C:\Temp\Intel\Intel-SA-00086-console.exe" --writefile --filepath "C:\Temp\Intel" > "C:\Temp\Intel\Intel.log"
EOF
move __createfile intel.bat
wait intel.bat
Like @DonMega notes, the name of the file it outputs has changed, so itâs probably easier to get this info from the registry:
Vulnerability status:
values "System Risk" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\System Status" of native registries
Installed version:
values "ME Version" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\ME Firmware Information" of native registries
Yes we (BigFix development) plan to release some content early next week to automate the execution of the Intel detection tool, both on windows and linux.
We are currently completing the testing before officially release it.
Regards,
Bernardo
2 Likes
Thanks @alinder. I completely forgot that the tool also writes to the registry.
it looks like WMI could be used to detect the driver version for Windows via an Analysis and not have to execute the detection tool. Has anyone looked into this yet?
wmic path Win32_PnPSignedDriver where âdevicename like âIntelÂŽ Management Engine%â OR devicename like âIntelÂŽ Trusted Execution Engine%â OR devicename like âIntelÂŽ Server Platform Services%ââ get devicename,DriverVersion
DeviceName DriverVersion
IntelÂŽ Management Engine Interface 11.6.0.1042
We have publish content to leverage the Intel tool to discover vulnerable machine. More details are available in this forum post: IBM BigFix released content to help identifying machines affected by the Intel Firmware Vulnerability INTEL-SA-00086
Bernardo
1 Like
This would be a much slicker process than the intel tool, results in near real-time via a property.
Now that we have a Task and an Analysis to evaluate the Intel ME vulnerability â Thank you! â the next problem is to patch it. HP has issued sp82476 http://ftp.hp.com/pub/softpaq/sp82001-82500/sp82476.exe which covers many of their business-class machines. It runs under Windows, so it ought to be possible to run it from BigFix. Has anyone worked up a fixlet for this?