PDQ.com mobilePDQ.com desktop
Support
general-blog-image-01

Detecting the INTEL-SA-00086 Vulnerability using PDQ Products

Colby BoumaColby Bouma
·

Intel has released the INTEL-SA-00086 Detection Tool so you can identify which computers are vulnerable to the recently found Intel® Management Engine (ME) security vulnerabilities. For those that have been living under a rock, a number of vulnerabilities have been discovered in Intel chips, yes, physical chips.

McGyver meme: Nobody panic I got this

Here’s how you can use PDQ Deploy and Inventory to run Intel’s tool and report on its findings.

Eleven Easy Steps

1. Download and unzip the Collections, Reports, and Scan Profile I’ve created for you.

2. In PDQ Inventory, with Reports selected in the tree, import all three files. (File > Import or Ctrl+I).

3. PDQ Inventory will now include a Reports folder with three reports,  four collections, and a scan profile all starting with the titles ‘Intel SA-00086’.

Intel SA 00086 Reports and CollectionsIntel SA 00098 Scan Profile

4. Download the INTEL-SA-00086 Detection Tool.

5. Extract the Detection Tool into your PDQ Deploy Reposiotry. The package looks for this by default: $(Repository)\Intel\SA00086_Windows\DiscoveryTool\Intel-SA-00086-console.exe

6. Download and unzip the Package I’ve created for you.

7. Import the package into PDQ Deploy. (File > Import or Ctrl+I).

8. Open the Package Properties and go to the Options tab. Set to Scan After Deploy using the Scan Profile named Intel SA-00086.

Scanning selected in Intel SA 00098 package

9. Save and close.

10. Deploy the Package, choosing the ‘Intel SA-00086 – Not Scanned’ collection from PDQ Inventory as your target.

11. Return to PDQ Inventory and check the Collections and/or Reports for vulnerable computers once the deployment and scans finish.

NOTES: I recommend only running this against physical machines vs. virtual machines. Additionally, if you are running a version of PDQ Deploy other than 15.3, you should remove 100 from your Success Code list so the Package will fail on vulnerable computers.

If you do not have PDQ Inventory, you can still use the PDQ Deploy package. You will need to edit the package and remove ‘100’ from the Success Codes listed in ‘Step 2 – Run the detection tool’. Deploy to all computers.

INTEL-SA-00086 Return Codes

Here is a breakdown of the Return Codes as specified by section 2.11 of INTEL-SA-00086_Detection_UG.pdf in the detection tool files.

NumberStatusMeaning10HECI NOT INSTALLED 11HECI_ERROR 100DISCOVERY_VULNERABLE_NOT_PATCHEDPlatform is vulnerable101DISCOVERY_NOT_VULNERABLE_PATCHEDPlatform is not vulnerable, it has been patched200DISCOVERY_UNKNOWNUnable to determine platform vulnerablity


0NOTVULNERABLE | STATUS_OKPlatform is not vulnerable


Please be aware that although this solution worked in our environment, it is being presented to you, as is. We are unable to guarantee it will work in your environment.


Follow @admarsenal on Twitter

Don't miss the next post!

401k and Powershell

How To Track 401k Growth With PowerShell - Part 2

Part 2 of how to track 401k growth with PowerShell, with additional code to tack on to our 401k calculator

PowerShell