- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am about to scan our enviroment in order to check the status on the client. I downloaded the tool from https://downloadcenter.intel.com/download/26755/INTEL-SA-00075-Detection-and-Mitigation-Tool .Download INTEL-SA-00075 Detection and Mitigation Tool . At first glance it seems to work correctly. The Gui version, the xml file and the console version shows the vulnerability status. The problem is about registry. The system information is missing.
How am I supposed to collect the inventory information at large scale if the vulnerability status is not written in registry ?
Here is the exported values from the registry
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool]
"Scan Date"="30/11/2017 13:34:52"
"Computer Name"="Test"
"Application Version"="1.0.1.39"
[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\Hardware Inventory]
"Computer Manufacturer"="HP"
"Computer Model"="HP ZBook 15 G3"
"Processor"="Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz"
[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\ME Firmware Information]
"ME Version"="11.0.18.3003"
"ME Version Major"=dword:0000000b
"ME Version Minor"=dword:00000000
"ME Version Build"=dword:00000bbb
"ME Version Hotfix"=dword:00000012
"ME SKU"="Intel(R) Full AMT Manageability"
"ME Provisioning State"="Provisioned"
"ME Driver Installed"="True"
"LMS State"="NotPresent"
"Micro LMS State"="Running"
"EHBC Enabled"="False"
"Control Mode"="Admin"
"Is CCM Disabled"="False"
And from WoW3264 node
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool]
"Scan Date"="30/11/2017 13:34:52"
"Computer Name"="WPLCND708524T"
"Application Version"="1.0.1.39"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\Hardware Inventory]
"Computer Manufacturer"="HP"
"Computer Model"="HP ZBook 15 G3"
"Processor"="Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\ME Firmware Information]
"ME Version"="11.0.18.3003"
"ME Version Major"=dword:0000000b
"ME Version Minor"=dword:00000000
"ME Version Build"=dword:00000bbb
"ME Version Hotfix"=dword:00000012
"ME SKU"="Intel(R) Full AMT Manageability"
"ME Provisioning State"="Provisioned"
"ME Driver Installed"="True"
"LMS State"="NotPresent"
"Micro LMS State"="Running"
"EHBC Enabled"="False"
"Control Mode"="Admin"
"Is CCM Disabled"="False"
Any ideas ?
Thanks
Tomasz
- Tags:
- Tools
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tomasz,
Are you using SCCM as part of your manageability suite for your clients? Or any sort of central management tool?
Regards,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Michael,
We use Altiris ITMS suite for the end points management. I run the utility from command line with elevated admin rights.
I have even downloaded the version 1.0.3.215 of the tool (not sure why Intel maintain links to many versions of the same tool), but the problem persists. The vulnerability status is not saved in registry.
Another issue I found with the Intel tool, they do not offer quiet switch. The unexpected popup windows on the client computers are not acceptable.
As the workaround I am going to use the Intel® SCS System Discovery Utility instead. Then use the criteria to determine if a system is vulnerable to INTEL-SA-00075 from PDF documentation.
I am going to use the same approach to determine if a system is vulnerable to INTEL-SA-00086. The user guide in the table say the system is vulnerable if ME Versions 11.x.x.x with SVN < 3. It does not explain what SVN stands for ? It does not give any example either. I assume we are talking about build number.
The problem with INTEL-SA-00086 detection tool is, it writes the status in registry in local language for instance: "Dieses System hat keine Sicherheitsl&# 129;cken". In global international environment it is not really preferable in mass deployment.
These tools are not developed for IT pro admins in mind, from my point of view.
Could you assist further, please ?
Thanks,
Tomasz
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tomasz,
to get around the issue of the unexpected popup, you can use "console.exe" which is included in the detection and mitigation tool, however, it will not appear until you install it. It will be in the same location as the webui.
Not writing vulnerable/not vulnerable is by design. Rather, if you run a discovery on your systems, there will be a registry key that get's written:
HKLM\SOFTWARE\Intel\Setup and Configuration Software\ManageabilityInfo
String Value = FWVersion =
You can then check that registry and cross reference against .pdf. And I believe I'm just confirming what you are planning on doing anyway based on what you wrote.
I will get further clarification on SVN as I agree, it can be made clearer and post a response.
Regards,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Michael,
Thanks for the response.
I do use the console version. I am talking about the tool itself. It does not offer quiet switch parameter - something like /quiet /silent / etc. I you go to start menu then run it still opens in a new window even you choose -c - no console output.
"Not writing vulnerable/not vulnerable is by design". Again lack of consistence. The version 00086 does write the status in the registry.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\System Status]
"System Risk"="This system is vulnerable."
What's more after applying the firmware fix the tool crashes.
PS C:\temp\Intel-SA-00086> .\Intel-SA-00086-console.exe
INTEL-SA-00086 Detection Tool will start analysis in 8sec.
Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.
at DiscoveryTool.DataAccess.IclsUtils.IsIclsRunning() in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool\DataAccess\IclsUtils.cs:line 35
at DiscoveryTool.BizLogic.SetReKeyStatus() in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool\BizLogic.cs:line 149
at DiscoveryTool.CLI.Program.Main(String[] args) in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool.CLI\Program.cs:line 109
I stick to my opinion, that this specific Intel's software is very low quality and not developed for IT Pro Admins in mind.
I appreciate you clarification on the FWversion and the logic behind the SVN value.
Regards,
Tomasz
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tomasz,
Appreciate your feedback. I have shared your post with the developers. I'm also waiting for a response and will post when I receive one.
Regards,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Michael,
I have run the inventory task with SCS System Discovery tool. The first results are coming in. So far I received the following FW version in my environment.
10.0.30.1072
10.0.37.1000
10.0.50.1004
11.0.0.1191
11.0.0.1194
11.0.0.1202
11.0.0.1205
11.0.12.1008
11.0.18.1002
11.0.18.3003
11.0.22.3001
11.0.22.3001
11.0.25.3001
11.0.27.3000
11.6.12.3202
11.6.29.3287
11.8.50.3425
5.0.3.1126
5.2.1.1001
8.0.10.1464
8.0.3.1427
8.0.4.1441
8.1.0.1265
8.1.30.1350
8.1.31.1351
9.0.22.1467
9.0.31.1487
9.1.0.1120
9.1.20.1035
9.1.25.1005
9.1.37.1002
9.1.41.3024
9.1.42.3002
9.5.12.1688
9.5.15.1730
I still have no idea what the SVN value is.
Could you advise/clarify what logic should be used to determine whether given pc is still vulnerable against SA-00075 and SA-00086, please ?
Is there any way, we as the enterprise company can open a support call, instead of using public forum ?
Thank you.
Tomasz
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tomasz,
I will send a personal message via e-mail to set up a support call.
Regards,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I am also receiving the same errors when attempting to run the detection tool in my environment. Was a fix found? Tomasz.Wozniak
Below is my output log:
INTEL-SA-00086 Detection Tool will start analysis in 8sec.
Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.
at DiscoveryTool.DataAccess.IclsUtils.IsIclsRunning() in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool\DataAccess\IclsUtils.cs:line 35
at DiscoveryTool.BizLogic.SetReKeyStatus() in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool\BizLogic.cs:line 149
at DiscoveryTool.CLI.Program.Main(String[] args) in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool.CLI\Program.cs:line 109
It's also returning an error code -1073741819 if that means anything.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi NickPifer86,
Looking further into this, we'd like to have the following information:
1. What system make/model are you running this on or is it occurring on multiple systems? If multiple systems, can you provide us with a few makes and models?
2. What operating system are you running on this(these) systems?
3. How are you running the tool? Are you using command options or running the gui version?
Regards,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Michael,
Thank you for the support session.
Based on your clarifications on the logic rules I was able to determine the vulnerability status. I copy them here so others may benefit too.
SA-00075 Any major version AMT 6-11 will be impacted
Major Minor Hotfix Version Build
Two numbers to key off of are "Major" and "Build"
SA-00075
Major between 6-11
and
Version Build >3000
If conditions are met, given systems are NOT vulnerable
SA-00086
If conditions are met, systems are vulnerable
ME Versions 11.x.x.x with SVN < 3 ME Version
10.x.x.x < 10.0.56.3002* ME Version
9.5.x.x < 9.5.61.3012* ME Version
9.0.x.x < 9.1.42.3002* ME Version
8.x.x.x < 8.1.72.3002*
The following SQL queries target my vulnerable systems.
--Intel SA-00075
SELECT vc.Name
,hw.Model
,vpro.[FWVersion]
, Right(vpro.FWVersion,4) as Build
FROM vComputer vc
left join [Symantec_CMDB].[dbo].[Inv_vPro] vpro on vpro._ResourceGuid = vc.Guid
left join vHWComputerSystem hw on hw._ResourceGuid = vc.Guid
where
(
vpro.FWVersion like '6%'
or vpro.FWVersion like '7%'
or vpro.FWVersion like '8%'
or vpro.FWVersion like '9%'
or vpro.FWVersion like '10%'
or vpro.FWVersion like '11%'
)
and Right(vpro.FWVersion,4) < 3000
--Intel SA-00086
SELECT vc.Name
,vc.[OS Name]
,hw.Model
,vpro.[FWVersion]
FROM vComputer vc
left join [Symantec_CMDB].[dbo].[Inv_vPro] vpro on vpro._ResourceGuid = vc.Guid
left join vHWComputerSystem hw on hw._ResourceGuid = vc.Guid
where vc.IsManaged = 1
and
(
( vpro.FWVersion like '11%' and Right(vpro.FWVersion,4) < 3000)
or
(vpro.FWVersion between '10.0.0.0' and '10.0.56.3001')
or
(vpro.FWVersion between '9.5.0.0' and '9.5.61.3011')
or
(vpro.FWVersion between '9.0.0.0' and '9.1.42.3001')
or
(vpro.FWVersion between '8.0.0.0' and '8.1.72.3001')
or
(vpro.FWVersion like '7%' and (vpro.AMTSKU = 'Intel(R) Full AMT Manageability' or vpro.AMTSKU = 'Full AMT Manageability'))
or
(vpro.FWVersion like '6%' and (vpro.AMTSKU = 'Intel(R) Full AMT Manageability' or vpro.AMTSKU = 'Full AMT Manageability'))
)
Of course your database may look differently but you get the ideas.
As of the detection tools for SA-00075 and SA-00086 I am not going to use them.
For me the subject can be closed.
Thanks
Tomasz
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tomasz,
This looks really good and hopefully others can use this also. Thank you for your contributions here and it was a pleasure meeting with you.
Regards,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Michael. Of course, here you go:
1-Dell Optiplex 3050's, once the firmware update has already been run. We're using BIOS version 1.7.4 to patch the optiplex's.
2-Windows 10, version 1607 (The anniversary update)
3-I'm using a PDQ deploy package which simply runs "Intel-SA-00086-console.exe -c" using a service account which has local admin on my workstations.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi NickPifer86,
I apologize for asking you to do this. I would for you but I do not have your contact information. Would like to get the log file that is created when you run the tool....the .htm file created in the directory you run the tool from, however, I do not know your comfort level of posting that file on a public forum, so if you are uncomfortable, would you mind opening a ticket on our support site here:
https://www.intel.com/content/www/us/en/support/contact-support.html# @17
You can send me a personal message to let me know your ticket number...
Regards,
Michael
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page