Detecting the INTEL-SA-00086 Vulnerability using PDQ Products

Intel has released the INTEL-SA-00086 Detection Tool so you can identify which computers are vulnerable to the recently found Intel® Management Engine (ME) security vulnerabilities. For those that have been living under a rock, a number of vulnerabilities have been discovered in Intel chips, yes, physical chips.

McGyver meme: Nobody panic I got this

Here’s how you can use PDQ Deploy and Inventory to run Intel’s tool and report on its findings.

Eleven Easy Steps

  1. Download and unzip the Collections, Reports, and Scan Profile I’ve created for you.
  2. In PDQ Inventory, with Reports selected in the tree, import all three files. (File > Import or Ctrl+I).
  3. PDQ Inventory will now include a Reports folder with three reports,  four collections, and a scan profile all starting with the titles ‘Intel SA-00086’.
    Intel-SA-00086 Reports and Collections
    Intel-SA-00098 Scan Profile
  4. Download the INTEL-SA-00086 Detection Tool.
  5. Extract the Detection Tool into your PDQ Deploy Reposiotry. The package looks for this by default: $(Repository)\Intel\SA00086_Windows\DiscoveryTool\Intel-SA-00086-console.exe
  6. Download and unzip the Package I’ve created for you.
  7. Import the package into PDQ Deploy. (File > Import or Ctrl+I).
  8. Open the Package Properties and go to the Options tab. Set to Scan After Deploy using the Scan Profile named Intel SA-00086.
    Scanning selected in Intel-SA-00098 package
  9. Save and close.
  10. Deploy the Package, choosing the ‘Intel SA-00086 – Not Scanned’ collection from PDQ Inventory as your target.
  11. Return to PDQ Inventory and check the Collections and/or Reports for vulnerable computers once the deployment and scans finish.

NOTES: I recommend only running this against physical machines vs. virtual machines. Additionally, if you are running a version of PDQ Deploy other than 15.3, you should remove 100 from your Success Code list so the Package will fail on vulnerable computers.

If you do not have PDQ Inventory, you can still use the PDQ Deploy package. You will need to edit the package and remove ‘100’ from the Success Codes listed in ‘Step 2 – Run the detection tool’. Deploy to all computers.

INTEL-SA-00086 Return Codes

Here is a breakdown of the Return Codes as specified by section 2.11 of INTEL-SA-00086_Detection_UG.pdf in the detection tool files.

Number Status Meaning
0 NOTVULNERABLE | STATUS_OK Platform is not vulnerable
10 HECI NOT INSTALLED
11 HECI_ERROR
100 DISCOVERY_VULNERABLE_NOT_PATCHED Platform is vulnerable
101 DISCOVERY_NOT_VULNERABLE_PATCHED Platform is not vulnerable, it has been patched
200 DISCOVERY_UNKNOWN Unable to determine platform vulnerablity

Please be aware that although this solution worked in our environment, it is being presented to you, as is. We are unable to guarantee it will work in your environment.



Follow @admarsenal on Twitter

4 responses

  • Colby – nice work. Very thorough. Had a little feedback. I’m using PDQ Inventory 12.4. Noticed that your scan profile report packages you created automatically scanned systems I had in my PDQ inventory and placed them under the – not vulnerable collection without having to run the Intel-SA-00086-console that I placed in the repository. That being said, any system I try to add to the – not scanned collection is in fact checked and placed under the – not vulnerable collection. Hope this make sense.

    • Ah, it’s because you’re using Inventory 12.4. My collections use the CPU table which was introduced in Inventory 13.1.0.0.

  • Thank you. I updated both my PDQ Deploy and Inventory and all seems to be working just fine. If I ran a deploy of the SA-00086 Console scanner to the Active Directory Collection folder would this still work in filtering the SA-00086 collections by relocating the NOT SCANNED to VULNERABLE or NOT VULNERABLE collection? Wondering if the collections only work if you scan against the NOT SCANNED collection per your instructions above.

    • The filtering will work no matter which collection you deploy to. I just recommend using the collection I provided because it filters out virtual machines because the detection tool gets stuck on them.

Respond to Colby Bouma Cancel response

Your email address will not be published.

Your Name