Intel has released the INTEL-SA-00086 Detection Tool so you can identify which computers are vulnerable to the recently found Intel® Management Engine (ME) security vulnerabilities. For those that have been living under a rock, a number of vulnerabilities have been discovered in Intel chips, yes, physical chips.
Here’s how you can use PDQ Deploy and Inventory to run Intel’s tool and report on its findings.
1. Download and unzip the Collections, Reports, and Scan Profile I’ve created for you.
2. In PDQ Inventory, with Reports selected in the tree, import all three files. (File > Import or Ctrl+I).
3. PDQ Inventory will now include a Reports folder with three reports, four collections, and a scan profile all starting with the titles ‘Intel SA-00086’.
4. Download the INTEL-SA-00086 Detection Tool.
5. Extract the Detection Tool into your PDQ Deploy Reposiotry. The package looks for this by default:
6. Download and unzip the file I’ve created for you.
7. Import the package into PDQ Deploy. (File > Import or Ctrl+I).
8. Open the Package Properties and go to the Options tab. Set to Scan After Deploy using the Scan Profile named Intel SA-00086.
9. Save and close.
10. Deploy the Package, choosing the ‘Intel SA-00086 – Not Scanned’ collection from PDQ Inventory as your target.
11. Return to PDQ Inventory and check the Collections and/or Reports for vulnerable computers once the deployment and scans finish.
NOTES: I recommend only running this against physical machines vs. virtual machines. Additionally, if you are running a version of PDQ Deploy other than 15.3, you should remove 100 from your Success Code list so the Package will fail on vulnerable computers.
If you do not have PDQ Inventory, you can still use the PDQ Deploy package. You will need to edit the package and remove ‘100’ from the Success Codes listed in ‘Step 2 – Run the detection tool’. Deploy to all computers.
Here is a breakdown of the Return Codes as specified by section 2.11 of INTEL-SA-00086_Detection_UG.pdf in the detection tool files.
NumberStatusMeaning10HECI NOT INSTALLED 11HECI_ERROR 100DISCOVERY_VULNERABLE_NOT_PATCHEDPlatform is vulnerable101DISCOVERY_NOT_VULNERABLE_PATCHEDPlatform is not vulnerable, it has been patched200DISCOVERY_UNKNOWNUnable to determine platform vulnerablity
0NOTVULNERABLE | STATUS_OKPlatform is not vulnerable
Please be aware that although this solution worked in our environment, it is being presented to you, as is. We are unable to guarantee it will work in your environment.
Follow @admarsenal on Twitter