Mitigate security vulnerability INTEL-SA-00075 using Bigfix content from bigfix.me

Custom Fixlets are now available to detect and mitigate CVE-2017-5689, Intel AMT Firmare remote code execution vulnerability.

• CVE-2017-5689 - Detection - Deploy the Intel SCS System Discovery Utility 11.1

• CVE-2017-5689 - Mitigation - Unprovision clients and remove LMS

There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs.

Intel has have released some recommondations on the issue on the vulnerability.

You can use Bigfix content to apply the mitigation to this vulnerability.
The complete step is listed here:

• Use CVE-2017-5689 - Detection - Deploy the Intel SCS System Discovery Utility 11.1 to deploy the Intel scs-system-discovery-utility to the endpoint. This utility will inventory the system and drop information that can be used to detect vulnerable firmware associated with INTEL-SA-00075.

• Use CVE-2017-5689 - Mitigation - Unprovision clients and remove LMS to detect and mitigate the security vulnerability INTEL-SA-00075 on Intel’s manageability SKU systems that are vulnerable to a known privilege escalation issue.

For more information about this vulnerability, please review the following documentation.

• INTEL-SA-00075 Security Advisory
• INTEL-SA-00075 Detection Guide
• INTEL-SA-00075 Mitigation Guide

@yumengyin
Intel changed the location and filenames…
INTEL-SA-00075_UnprovisioningTool_1.0.0.0025.zip at https://downloadmirror.intel.com/26781/eng/INTEL-SA-00075_UnprovisioningTool_1.0.0.0025.zip

and now its an MSI and not a .exe…
So the Actionscript fails in the Mitigation unprovision.

@Pete_F,

Thanks for the feedback! We will update the corresponding part in the task. Will give you an update when finish. Thanks!

Hi @Pete_F

The content is updated. Please let us know if there is any further feedback. Thanks!

Sincerely,
Yumeng

@yumengyin

Thanks for the fix… however, it still fails with
Invalid action content: the action script contains a syntax error.

Failed parameter “LMSpath” = “{following text of first “%22” of first match (regex “%22(.*LMS.exe)”) of (value “ImagePath” of it as string ) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LMS” of native registry}”
//Disable LMS
waithidden cmd.exe /C sc config LMS start=disabled
//Remove LMS
waithidden cmd.exe /C sc delete LMS
//Delete LMS.exe
continue if {(exists file (parameter “LMSpath” of action)) and ((parameter “LMSpath” of action) ends with “LMS.exe” )}
waithidden cmd.exe /c del /f "{parameter “LMSpath”}"
action requires restart

I suspect the { which may be needed for the debugger but not the client… Taking the { and } out from the 1st line allows the action script to proceed till it fails right at the end

Failed continue if {(exists file (parameter “LMSpath” of action)) and ((parameter “LMSpath” of action) ends with “LMS.exe” )}
waithidden cmd.exe /c del /f “{parameter “LMSpath”}” Is that likely to be the { again ?

@Pete_F,

Could you please help to run the following script in Q&A from the failed client and let us know the result so that we can investigate the cause of the syntax error?
Q: following text of first "%22" of first match (regex "%22(.*LMS.exe)") of (value "ImagePath" of it as string ) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LMS" of native registry Q: (value "ImagePath" of it as string ) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LMS" of native registry Q: (concatenations of substrings separated by "%00" of (value "ImagePath" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LMS" of native registry as string))

Thanks!

Sincerely,
Yumeng