13 Replies Latest reply on Jan 16, 2018 5:45 PM by Intel Corporation

    NTEL-SA-00075 Detection does not detect status in registry

    Tomasz.Wozniak

      Hello,

      I am about to scan our enviroment in order to check the status on the client. I downloaded the tool from .Download INTEL-SA-00075 Detection and Mitigation Tool . At first glance it seems to work correctly. The Gui version, the xml file and the console version shows the vulnerability status. The problem is about registry. The system information is missing.

      How am I supposed to collect the inventory information at large scale if the vulnerability status is not written in registry ?

      Here is the exported values from the registry

       

      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool]

      "Scan Date"="30/11/2017 13:34:52"

      "Computer Name"="Test"

      "Application Version"="1.0.1.39"

      [HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\Hardware Inventory]

      "Computer Manufacturer"="HP"

      "Computer Model"="HP ZBook 15 G3"

      "Processor"="Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz"

       

       

      [HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\ME Firmware Information]

      "ME Version"="11.0.18.3003"

      "ME Version Major"=dword:0000000b

      "ME Version Minor"=dword:00000000

      "ME Version Build"=dword:00000bbb

      "ME Version Hotfix"=dword:00000012

      "ME SKU"="Intel(R) Full AMT Manageability"

      "ME Provisioning State"="Provisioned"

      "ME Driver Installed"="True"

      "LMS State"="NotPresent"

      "Micro LMS State"="Running"

      "EHBC Enabled"="False"

      "Control Mode"="Admin"

      "Is CCM Disabled"="False"

       

      And from WoW3264 node

       

      [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool]

      "Scan Date"="30/11/2017 13:34:52"

      "Computer Name"="WPLCND708524T"

      "Application Version"="1.0.1.39"

       

       

      [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\Hardware Inventory]

      "Computer Manufacturer"="HP"

      "Computer Model"="HP ZBook 15 G3"

      "Processor"="Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz"

       

       

      [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\ME Firmware Information]

      "ME Version"="11.0.18.3003"

      "ME Version Major"=dword:0000000b

      "ME Version Minor"=dword:00000000

      "ME Version Build"=dword:00000bbb

      "ME Version Hotfix"=dword:00000012

      "ME SKU"="Intel(R) Full AMT Manageability"

      "ME Provisioning State"="Provisioned"

      "ME Driver Installed"="True"

      "LMS State"="NotPresent"

      "Micro LMS State"="Running"

      "EHBC Enabled"="False"

      "Control Mode"="Admin"

      "Is CCM Disabled"="False"

       

      Any ideas ?

      Thanks

      Tomasz

        • 1. Re: NTEL-SA-00075 Detection does not detect status in registry
          Intel Corporation
          This message was posted on behalf of Intel Corporation

          Hi Tomasz,

          Are you using SCCM as part of your manageability suite for your clients?  Or any sort of central management tool?

          Regards,
          Michael

          • 2. Re: NTEL-SA-00075 Detection does not detect status in registry
            Tomasz.Wozniak

            Hi Michael,

             

            We use Altiris ITMS suite for the end points management. I run the utility from command line with elevated admin rights.

            I have even downloaded the version 1.0.3.215 of the tool (not sure why Intel maintain links to many versions of the same tool), but the problem persists. The vulnerability status is not saved in registry.

            Another issue I found with the Intel tool, they do not offer quiet switch. The unexpected popup windows on the client computers are not acceptable.

            As the workaround I am going to use the Intel® SCS System Discovery Utility instead. Then use the criteria to determine if a system is vulnerable to INTEL-SA-00075 from PDF documentation.

            I am going to use the same approach to determine if a system is vulnerable to INTEL-SA-00086. The user guide in the table say the system is vulnerable if ME Versions 11.x.x.x with SVN < 3. It does not explain what SVN stands for ? It does not give any example either. I assume we are talking about build number.

            The problem with INTEL-SA-00086 detection tool is, it writes the status in registry in local language for instance: "Dieses System hat keine Sicherheitslcken". In global international environment it is not really preferable in mass deployment.

            These tools are not developed for IT pro admins in mind, from my point of view.

             

            Could you assist further, please ?

            Thanks,

            Tomasz

            • 3. Re: NTEL-SA-00075 Detection does not detect status in registry
              Intel Corporation
              This message was posted on behalf of Intel Corporation

              Hi Tomasz,

              to get around the issue of the unexpected popup, you can use "console.exe" which is included in the detection and mitigation tool, however, it will not appear until you install it.  It will be in the same location as the webui.

              Not writing vulnerable/not vulnerable is by design.  Rather, if you run a discovery on your systems, there will be a registry key that get's written:
              HKLM\SOFTWARE\Intel\Setup and Configuration Software\ManageabilityInfo
              String Value = FWVersion =

              You can then check that registry and cross reference against .pdf.  And I believe I'm just confirming what you are planning on doing anyway based on what you wrote.

              I will get further clarification on SVN as I agree, it can be made clearer and post a response.

              Regards,
              Michael


               

              • 4. Re: NTEL-SA-00075 Detection does not detect status in registry
                Tomasz.Wozniak

                Hi Michael,

                 

                Thanks for the response.

                I do use the console version. I am talking about the tool itself. It does not offer quiet switch parameter - something like /quiet /silent / etc. I you go to start menu then run it still opens in a new window even you choose -c - no console output.

                "Not writing vulnerable/not vulnerable is by design". Again lack of consistence. The version 00086 does write the status in the registry.

                Windows Registry Editor Version 5.00

                [HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\System Status]

                "System Risk"="This system is vulnerable."

                 

                What's more after applying the firmware fix the tool crashes.

                PS C:\temp\Intel-SA-00086> .\Intel-SA-00086-console.exe

                INTEL-SA-00086 Detection Tool will start analysis in 8sec.

                 

                Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.

                   at DiscoveryTool.DataAccess.IclsUtils.IsIclsRunning() in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool\DataAccess\IclsUtils.cs:line 35

                   at DiscoveryTool.BizLogic.SetReKeyStatus() in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool\BizLogic.cs:line 149

                   at DiscoveryTool.CLI.Program.Main(String[] args) in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool.CLI\Program.cs:line 109

                 

                I stick to my opinion, that this specific Intel's software is very low quality and not developed for  IT Pro Admins in mind.

                I appreciate you clarification on the FWversion and the logic behind the SVN value.

                 

                Regards,

                Tomasz

                • 5. Re: NTEL-SA-00075 Detection does not detect status in registry
                  Intel Corporation
                  This message was posted on behalf of Intel Corporation

                  Hi Tomasz,

                  Appreciate your feedback.  I have shared your post with the developers.  I'm also waiting for a response and will post when I receive one.

                  Regards,
                  Michael

                  • 6. Re: NTEL-SA-00075 Detection does not detect status in registry
                    Tomasz.Wozniak

                    Hello Michael,

                     

                    I have run the inventory task with SCS System Discovery tool. The first results are coming in. So far I received the following FW version in my environment.

                     

                    10.0.30.1072

                    10.0.37.1000

                    10.0.50.1004

                    11.0.0.1191

                    11.0.0.1194

                    11.0.0.1202

                    11.0.0.1205

                    11.0.12.1008

                    11.0.18.1002

                    11.0.18.3003

                    11.0.22.3001

                    11.0.22.3001

                    11.0.25.3001

                    11.0.27.3000

                    11.6.12.3202

                    11.6.29.3287

                    11.8.50.3425

                    5.0.3.1126

                    5.2.1.1001

                    8.0.10.1464

                    8.0.3.1427

                    8.0.4.1441

                    8.1.0.1265

                    8.1.30.1350

                    8.1.31.1351

                    9.0.22.1467

                    9.0.31.1487

                    9.1.0.1120

                    9.1.20.1035

                    9.1.25.1005

                    9.1.37.1002

                    9.1.41.3024

                    9.1.42.3002

                    9.5.12.1688

                    9.5.15.1730

                     

                    I still have no idea what the SVN value is.

                    Could you advise/clarify what logic should be used to determine whether given pc is still vulnerable against SA-00075 and SA-00086, please ?

                    Is there any way, we as the enterprise company can open a support call, instead of using public forum ?

                     

                    Thank you.

                    Tomasz

                    • 7. Re: NTEL-SA-00075 Detection does not detect status in registry
                      Intel Corporation
                      This message was posted on behalf of Intel Corporation

                      Hi Tomasz,

                      I will send a personal message via e-mail to set up a support call.

                      Regards,
                      Michael

                      • 8. Re: NTEL-SA-00075 Detection does not detect status in registry
                        NickPifer86

                        Hello, I am also receiving the same errors when attempting to run the detection tool in my environment. Was a fix found? Tomasz.Wozniak

                         

                        Below is my output log:

                        INTEL-SA-00086 Detection Tool will start analysis in 8sec.

                        Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.

                           at DiscoveryTool.DataAccess.IclsUtils.IsIclsRunning() in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool\DataAccess\IclsUtils.cs:line 35

                           at DiscoveryTool.BizLogic.SetReKeyStatus() in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool\BizLogic.cs:line 149

                           at DiscoveryTool.CLI.Program.Main(String[] args) in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool.CLI\Program.cs:line 109

                         

                        It's also returning an error code -1073741819 if that means anything.

                        • 9. Re: NTEL-SA-00075 Detection does not detect status in registry
                          Intel Corporation
                          This message was posted on behalf of Intel Corporation

                          Hi NickPifer86,

                          Looking further into this, we'd like to have the following information:

                          1.  What system make/model are you running this on or is it occurring on multiple systems?  If multiple systems, can you provide us with a few makes and models?
                          2.  What operating system are you running on this(these) systems?
                          3.  How are you running the tool?  Are you using command options or running the gui version?

                          Regards,
                          Michael
                           

                          • 10. Re: NTEL-SA-00075 Detection does not detect status in registry
                            Tomasz.Wozniak

                            Hello Michael,

                             

                            Thank you for the support session.

                            Based on your clarifications on the logic rules I was able to determine the vulnerability status. I copy them here so others may benefit too.

                            SA-00075 Any major version AMT 6-11 will be impacted

                            Major  Minor  Hotfix  Version Build

                             

                            Two numbers to key off of are "Major" and "Build"

                            SA-00075

                            Major between 6-11

                            and

                            Version Build >3000

                            If conditions are met, given systems are NOT vulnerable

                             

                            SA-00086

                            If conditions are met, systems are vulnerable

                            ME Versions 11.x.x.x with SVN < 3 ME Version

                            10.x.x.x < 10.0.56.3002* ME Version

                            9.5.x.x < 9.5.61.3012* ME Version

                            9.0.x.x < 9.1.42.3002* ME Version

                            8.x.x.x < 8.1.72.3002*

                             

                            The following SQL queries target my vulnerable systems.

                            --Intel SA-00075

                            SELECT vc.Name

                              ,hw.Model

                              ,vpro.[FWVersion]

                              , Right(vpro.FWVersion,4) as Build  

                                 

                              FROM vComputer vc

                              left join [Symantec_CMDB].[dbo].[Inv_vPro] vpro on vpro._ResourceGuid = vc.Guid

                              left join vHWComputerSystem hw on hw._ResourceGuid = vc.Guid

                              where

                              (

                            vpro.FWVersion like '6%'

                            or   vpro.FWVersion like '7%'

                            or   vpro.FWVersion like '8%'

                            or   vpro.FWVersion like '9%'

                            or   vpro.FWVersion like '10%'

                            or   vpro.FWVersion like '11%'

                            )

                            and Right(vpro.FWVersion,4) < 3000

                             

                             

                            --Intel SA-00086

                            SELECT vc.Name

                            ,vc.[OS Name]

                              ,hw.Model

                            ,vpro.[FWVersion]

                                 

                              FROM vComputer vc

                              left join [Symantec_CMDB].[dbo].[Inv_vPro] vpro on vpro._ResourceGuid = vc.Guid

                              left join vHWComputerSystem hw on hw._ResourceGuid = vc.Guid

                              where vc.IsManaged = 1

                              and

                              (

                              ( vpro.FWVersion like '11%' and Right(vpro.FWVersion,4) < 3000)

                              or

                              (vpro.FWVersion between '10.0.0.0' and '10.0.56.3001')

                              or

                              (vpro.FWVersion between '9.5.0.0' and '9.5.61.3011')

                              or

                              (vpro.FWVersion between '9.0.0.0' and '9.1.42.3001')

                              or

                              (vpro.FWVersion between '8.0.0.0' and '8.1.72.3001')

                              or

                              (vpro.FWVersion like  '7%' and (vpro.AMTSKU = 'Intel(R) Full AMT Manageability' or vpro.AMTSKU = 'Full AMT Manageability'))

                            or

                              (vpro.FWVersion like  '6%' and (vpro.AMTSKU = 'Intel(R) Full AMT Manageability' or vpro.AMTSKU = 'Full AMT Manageability'))

                              )

                             

                            Of course your database may look differently but you get the ideas.

                            As of the detection tools for SA-00075 and SA-00086 I am not going to use them.

                             

                            For me the subject can be closed.

                            Thanks

                            Tomasz

                             

                            • 11. Re: NTEL-SA-00075 Detection does not detect status in registry
                              Intel Corporation
                              This message was posted on behalf of Intel Corporation

                              Hi Tomasz,

                              This looks really good and hopefully others can use this also.  Thank you for your contributions here and it was a pleasure meeting with you.

                              Regards,
                              Michael

                              • 12. Re: NTEL-SA-00075 Detection does not detect status in registry
                                NickPifer86

                                Hi Michael. Of course, here you go:

                                 

                                1-Dell Optiplex 3050's, once the firmware update has already been run. We're using BIOS version 1.7.4 to patch the optiplex's.

                                2-Windows 10, version 1607 (The anniversary update)

                                3-I'm using a PDQ deploy package which simply runs "Intel-SA-00086-console.exe -c" using a service account which has local admin on my workstations.

                                • 13. Re: NTEL-SA-00075 Detection does not detect status in registry
                                  Intel Corporation
                                  This message was posted on behalf of Intel Corporation

                                  Hi NickPifer86,

                                  I apologize for asking you to do this.  I would for you but I do not have your contact information.  Would like to get the log file that is created when you run the tool....the .htm file created in the directory you run the tool from, however, I do not know your comfort level of posting that file on a public forum, so if you are uncomfortable, would you mind opening a ticket on our support site here:

                                  https://www.intel.com/content/www/us/en/support/contact-support.html#@17

                                  You can send me a personal message to let me know your ticket number...

                                  Regards,
                                  Michael