Scan for Intel AMT Vulnerability_V1.0.1.39
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is the latest version.

1Scan for Intel AMT Vulnerability_V1.0.1.65/10/2017 6:06:01 PM
2Scan for Intel AMT Vulnerability_V1.0.1.395/12/2017 8:19:18 PM
3Scan for Intel AMT Vulnerability_V1.0.1.395/12/2017 8:20:07 PM

Description

 

This task runs a scan using the Intel-SA-0075-console Tool for the AMT vulnerability in a particular computer.  The results are stored in a file named:

{HOSTNAME}_System_Summary.xml

located in the folder "AMT_ScanResults" in the BigFix Client's root folder.

This file feeds the values of two properties:

Intel_AMT_System_Risk
Intel_AMT_System_Exposure

The values and meaning of these values are listed below as per Intel Documentation:

Value Description
System Risk
  •  Vulnerable

    The system has a vulnerable manageability firmware version, firmware needs to be updated


  • Not Vulnerable

    The system meets the "Not Vulnerable" criteria described in the Identifying impacted systems using the INTEL-SA-00075 Discovery Tool section of the document.


  • Not Vulnerable (Verify configuration)

    The system has the firmware with the fix for INTEL-SA-00075, but if the system was provisioned prior to the firmware update, an attacker using the known vulnerability may have changed the manageability configuration. There is a limited amount of verification that can be done through reviewing the Intel manageability SKU audit log. A full unprovision, reprovision of the manageability SKU will remove unauthorized configuration settings.

  • Check With OEM

    The information in the SMBIOS from the OEM shows a manageability SKU, but the Discovery Tool did not receive a response when requesting detailed data from your computer. This may be caused by a missing Management Engine interface driver. Consult your OEM to find out if your computer model is affected.

  • Unknown:

    Discovery Tool did not receive a valid response when requesting hardware inventory data from your computer. Consult your OEM to find out if your computer model is affected

System Exposure
  • Exposed

    The system is provisioned and the LMS is running.

  • Not Exposed

    System is determined to be unprovisioned and the LMS is not running

  • Potential Exposure

    System is determined to be unprovisioned and the LMS status could not be determined

  • Unknown

    Discovery Tool did not receive a valid response when requesting hardware inventory data from your computer. The Discovery Tool cannot determine if a mitigation has been applied to this system.

 

 

 


Property Details

ID24278
StatusAlpha - Code that was just developed
TitleScan for Intel AMT Vulnerability_V1.0.1.39
DomainBESC
CategoryUtility
Download Size1048576
SourceMike Consuegra
Source SeverityCritical
Source Release Date5/9/2017 12:00:00 AM
CVENamesCVE-2017-5689
KeywordsCVE-2017-5689, Intel AMT bug, Intel AMT vulnerability, detect, scan
Is TaskTrue
Added by on 5/12/2017 8:20:07 PM
Last Modified by on 5/12/2017 8:20:07 PM
Counters 1850 Views / 26 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 13 fixlets and 3 analyses   * Results in a true/false
Show indented relevance
name of operating system contains "Win"
Used in 3 fixlets and 2 analyses   * Results in a true/false
Show indented relevance
/* Version of Windows must be at least Win7 */ version of operating system >= "6.1"

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
// Download the Scanner Zip file from Intel and wait until it has successfully downloaded
prefetch discoveryToolInstaller_1.0.1.39.msi sha1:af1e35ea47eac4d0bded7b91f5da87bd4e36513d size:1941504 http://downloadmirror.intel.com/26755/eng/discoveryToolInstaller_1.0.1.39.msi sha256:37f4a31647fe8fb2916bc0ac97d586cc4979da72b8b615593fdc39f8916fe138
pause while {not exists file "__Download\discoveryToolInstaller_1.0.1.39.msi"}


// Check for the existence of the 'Intel_AMT_Scanner' folder in the Client directory on the target
// If the directory exists, just copy the files over, if not, create the folder and copy the files over
if {not exists folder (parent folder of regapp "BESClient.exe" as string & "\Intel_AMT_Scanner")}
    dos mkdir "{(parent folder of regapp "BESClient.exe" as string) & "\Intel_AMT_Scanner"}"
    dos copy /Y "{((client folder of current site) as string) & "\__Download\discoveryToolInstaller_1.0.1.39.msi"}" "{parent folder of regapp "BESClient.exe" as string & "\Intel_AMT_Scanner\discoveryToolInstaller_1.0.1.39.msi"}"
else
    dos copy /Y "{((client folder of current site) as string) & "\__Download\discoveryToolInstaller_1.0.1.39.msi"}" "{parent folder of regapp "BESClient.exe" as string & "\Intel_AMT_Scanner\discoveryToolInstaller_1.0.1.39.msi"}"
endif


// Delete any old versions of the result xml file "_System_Summary.xml"
delete "{(parent folder of regapp "BESClient.exe" as string) & "\Intel_AMT_Scanner\" & (hostname) & "_System_Summary.xml"}"



//Install the Scanner
waithidden msiexec.exe /i "{parent folder of regapp "BESClient.exe" as string & "\Intel_AMT_Scanner\discoveryToolInstaller_1.0.1.39.msi"}" INSTALLDIR="{parent folder of regapp "BESClient.exe" as string & "\Intel_AMT_Scanner\"}"


//Run the scanner in order to create the new "_System_Summary.xml" file
waithidden "{parent folder of regapp "BESClient.exe" as string & "\Intel_AMT_Scanner\Windows\Intel-SA-00075-console.exe"}" --writefile --filepath "{(parent folder of regapp "BESClient.exe" as string) & "\Intel_AMT_Scanner"}"

// Once the .xml file is created the accompanying properties will evaluate to one of the specific values listed in the description tab of this task. This will tell you whether or not your system is vulnerable for this bug.
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
mxc0bbn -
kvellano: The analysis only reads the specific "System Risk/Exposure" line from the xml file created by the Intel utility. I would first check the results xml file in the "[BESClient_HomeDir]\Intel_AMT_Scanner\" folder and see what it actually says. If it matches what the property value is then the analysis is working as designed and the issue may be incorrect reporting by the Intel Scanner; however, if the file shows something different than the property then let me know so I can troubleshoot the analysis. One last thing: I also added a "Last Scanned" property so if you run the scan multiple times you can be sure that the results you're seeing are part of the latest scan you ran. Make sure that the "Last Scanned" property is consistent with the last time you sent the scan task to the computer.
kvellano -
Thanks mxc0bbn - I do see all our systems are applicable. As a test, I installed the discovery tool 1.0.1.39 on a test system (manually) and it reported in as "Not Vulnerable" and "Not Exposed" for Intel SA00075 Exposed - Windows and Intel SA00075 Vulernable - Windows. So it would seem something is wrong with the analysis. If I have time today, I'm going to review, modify, test. I'll report back
mxc0bbn -
kvellano: Without doing some troubleshooting on your environment it's hard to pinpoint the exact reason, but here's some steps you can take and see if one of these help: 1. Make sure the Analysis shows your endpoints in the "Applicable Computers" tab (otherwise the analysis is in a content site that those computers are not subscribed to) 2. "Send Refresh" the the endpoint (check the client log to see if it's even trying to evaluate the analysis properties) 3. Stop the endpoint, delete the "__BESData" directory and restart the endpoint (copy the __Global\Logs folder somewhere unless you don't care about losing the client logs) then restart the endpoint If none of those work write me at "c5z06.mike@gmail.com" with a way to contact you and I might be able to help you troubleshoot further.
kvellano -
@mxc0bbn - yea...common problem within our enviornment. The hosts are reported in all other aspects...except for the Intel SA 00075 Vulnerable/Exposed fields
mxc0bbn -
jgstew: The Fixlet you referred to in your reply hasn't been updated by its creator. It's still pointing to the old AMT tool which Intel has now removed so anyone using that Fixlet will get a Download Error.
mxc0bbn -
kvellano...not sure I understand what you're asking... "Not Reported" usually means the endpoints haven't responded with the evaluation back to the console yet.
jgstew -
see here: https://bigfix.me/fixlet/details/24274
kvellano -
Ran this fixlet on 23 hosts - all values returned are not reported for Intel SA 00075 Vulnderable or Exposed...thoughts?
mxc0bbn -
to: "tsikma". Thank you for your alert that Intel had repackaged and re-named the detection tool. I have made the appropriate changes in the Task and it should work correctly now.