Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

NTEL-SA-00075 Detection does not detect status in registry

TWoźn1
Beginner
3,267 Views

Hello,

I am about to scan our enviroment in order to check the status on the client. I downloaded the tool from https://downloadcenter.intel.com/download/26755/INTEL-SA-00075-Detection-and-Mitigation-Tool .Download INTEL-SA-00075 Detection and Mitigation Tool . At first glance it seems to work correctly. The Gui version, the xml file and the console version shows the vulnerability status. The problem is about registry. The system information is missing.

How am I supposed to collect the inventory information at large scale if the vulnerability status is not written in registry ?

Here is the exported values from the registry

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool]

"Scan Date"="30/11/2017 13:34:52"

"Computer Name"="Test"

"Application Version"="1.0.1.39"

[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\Hardware Inventory]

"Computer Manufacturer"="HP"

"Computer Model"="HP ZBook 15 G3"

"Processor"="Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\ME Firmware Information]

"ME Version"="11.0.18.3003"

"ME Version Major"=dword:0000000b

"ME Version Minor"=dword:00000000

"ME Version Build"=dword:00000bbb

"ME Version Hotfix"=dword:00000012

"ME SKU"="Intel(R) Full AMT Manageability"

"ME Provisioning State"="Provisioned"

"ME Driver Installed"="True"

"LMS State"="NotPresent"

"Micro LMS State"="Running"

"EHBC Enabled"="False"

"Control Mode"="Admin"

"Is CCM Disabled"="False"

And from WoW3264 node

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool]

"Scan Date"="30/11/2017 13:34:52"

"Computer Name"="WPLCND708524T"

"Application Version"="1.0.1.39"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\Hardware Inventory]

"Computer Manufacturer"="HP"

"Computer Model"="HP ZBook 15 G3"

"Processor"="Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\ME Firmware Information]

"ME Version"="11.0.18.3003"

"ME Version Major"=dword:0000000b

"ME Version Minor"=dword:00000000

"ME Version Build"=dword:00000bbb

"ME Version Hotfix"=dword:00000012

"ME SKU"="Intel(R) Full AMT Manageability"

"ME Provisioning State"="Provisioned"

"ME Driver Installed"="True"

"LMS State"="NotPresent"

"Micro LMS State"="Running"

"EHBC Enabled"="False"

"Control Mode"="Admin"

"Is CCM Disabled"="False"

Any ideas ?

Thanks

Tomasz

0 Kudos
13 Replies
idata
Employee
1,572 Views

Hi Tomasz,

 

 

Are you using SCCM as part of your manageability suite for your clients? Or any sort of central management tool?

 

 

Regards,

 

Michael
0 Kudos
TWoźn1
Beginner
1,572 Views

Hi Michael,

We use Altiris ITMS suite for the end points management. I run the utility from command line with elevated admin rights.

I have even downloaded the version 1.0.3.215 of the tool (not sure why Intel maintain links to many versions of the same tool), but the problem persists. The vulnerability status is not saved in registry.

Another issue I found with the Intel tool, they do not offer quiet switch. The unexpected popup windows on the client computers are not acceptable.

As the workaround I am going to use the Intel® SCS System Discovery Utility instead. Then use the criteria to determine if a system is vulnerable to INTEL-SA-00075 from PDF documentation.

I am going to use the same approach to determine if a system is vulnerable to INTEL-SA-00086. The user guide in the table say the system is vulnerable if ME Versions 11.x.x.x with SVN < 3. It does not explain what SVN stands for ? It does not give any example either. I assume we are talking about build number.

The problem with INTEL-SA-00086 detection tool is, it writes the status in registry in local language for instance: "Dieses System hat keine Sicherheitsl&# 129;cken". In global international environment it is not really preferable in mass deployment.

These tools are not developed for IT pro admins in mind, from my point of view.

Could you assist further, please ?

Thanks,

Tomasz

0 Kudos
idata
Employee
1,572 Views

Hi Tomasz,

 

 

to get around the issue of the unexpected popup, you can use "console.exe" which is included in the detection and mitigation tool, however, it will not appear until you install it. It will be in the same location as the webui.

 

 

Not writing vulnerable/not vulnerable is by design. Rather, if you run a discovery on your systems, there will be a registry key that get's written:

 

HKLM\SOFTWARE\Intel\Setup and Configuration Software\ManageabilityInfo

 

String Value = FWVersion =

 

 

You can then check that registry and cross reference against .pdf. And I believe I'm just confirming what you are planning on doing anyway based on what you wrote.

 

 

I will get further clarification on SVN as I agree, it can be made clearer and post a response.

 

 

Regards,

 

Michael

 

 

 

0 Kudos
TWoźn1
Beginner
1,572 Views

Hi Michael,

Thanks for the response.

I do use the console version. I am talking about the tool itself. It does not offer quiet switch parameter - something like /quiet /silent / etc. I you go to start menu then run it still opens in a new window even you choose -c - no console output.

"Not writing vulnerable/not vulnerable is by design". Again lack of consistence. The version 00086 does write the status in the registry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\System Status]

"System Risk"="This system is vulnerable."

What's more after applying the firmware fix the tool crashes.

PS C:\temp\Intel-SA-00086> .\Intel-SA-00086-console.exe

INTEL-SA-00086 Detection Tool will start analysis in 8sec.

Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.

at DiscoveryTool.DataAccess.IclsUtils.IsIclsRunning() in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool\DataAccess\IclsUtils.cs:line 35

at DiscoveryTool.BizLogic.SetReKeyStatus() in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool\BizLogic.cs:line 149

at DiscoveryTool.CLI.Program.Main(String[] args) in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool.CLI\Program.cs:line 109

I stick to my opinion, that this specific Intel's software is very low quality and not developed for IT Pro Admins in mind.

I appreciate you clarification on the FWversion and the logic behind the SVN value.

Regards,

Tomasz

0 Kudos
idata
Employee
1,572 Views

Hi Tomasz,

 

 

Appreciate your feedback. I have shared your post with the developers. I'm also waiting for a response and will post when I receive one.

 

 

Regards,

 

Michael
0 Kudos
TWoźn1
Beginner
1,572 Views

Hello Michael,

I have run the inventory task with SCS System Discovery tool. The first results are coming in. So far I received the following FW version in my environment.

10.0.30.1072

10.0.37.1000

10.0.50.1004

11.0.0.1191

11.0.0.1194

11.0.0.1202

11.0.0.1205

11.0.12.1008

11.0.18.1002

11.0.18.3003

11.0.22.3001

11.0.22.3001

11.0.25.3001

11.0.27.3000

11.6.12.3202

11.6.29.3287

11.8.50.3425

5.0.3.1126

5.2.1.1001

8.0.10.1464

8.0.3.1427

8.0.4.1441

8.1.0.1265

8.1.30.1350

8.1.31.1351

9.0.22.1467

9.0.31.1487

9.1.0.1120

9.1.20.1035

9.1.25.1005

9.1.37.1002

9.1.41.3024

9.1.42.3002

9.5.12.1688

9.5.15.1730

I still have no idea what the SVN value is.

Could you advise/clarify what logic should be used to determine whether given pc is still vulnerable against SA-00075 and SA-00086, please ?

Is there any way, we as the enterprise company can open a support call, instead of using public forum ?

Thank you.

Tomasz

0 Kudos
idata
Employee
1,572 Views

Hi Tomasz,

 

 

I will send a personal message via e-mail to set up a support call.

 

 

Regards,

 

Michael
0 Kudos
NPife
Beginner
1,572 Views

Hello, I am also receiving the same errors when attempting to run the detection tool in my environment. Was a fix found? Tomasz.Wozniak

Below is my output log:

INTEL-SA-00086 Detection Tool will start analysis in 8sec.

Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.

at DiscoveryTool.DataAccess.IclsUtils.IsIclsRunning() in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool\DataAccess\IclsUtils.cs:line 35

at DiscoveryTool.BizLogic.SetReKeyStatus() in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool\BizLogic.cs:line 149

at DiscoveryTool.CLI.Program.Main(String[] args) in D:\buildagent_prod\workspace\10060\apps\PRTSW\SA00086_Discovery\SA0086_Windows\src\product\DiscoveryTool.CLI\Program.cs:line 109

It's also returning an error code -1073741819 if that means anything.

0 Kudos
idata
Employee
1,572 Views

Hi NickPifer86,

 

 

Looking further into this, we'd like to have the following information:

 

 

1. What system make/model are you running this on or is it occurring on multiple systems? If multiple systems, can you provide us with a few makes and models?

 

2. What operating system are you running on this(these) systems?

 

3. How are you running the tool? Are you using command options or running the gui version?

 

 

Regards,

 

Michael

 

0 Kudos
TWoźn1
Beginner
1,570 Views

Hello Michael,

Thank you for the support session.

Based on your clarifications on the logic rules I was able to determine the vulnerability status. I copy them here so others may benefit too.

SA-00075 Any major version AMT 6-11 will be impacted

Major Minor Hotfix Version Build

Two numbers to key off of are "Major" and "Build"

SA-00075

Major between 6-11

and

Version Build >3000

If conditions are met, given systems are NOT vulnerable

SA-00086

If conditions are met, systems are vulnerable

ME Versions 11.x.x.x with SVN < 3 ME Version

10.x.x.x < 10.0.56.3002* ME Version

9.5.x.x < 9.5.61.3012* ME Version

9.0.x.x < 9.1.42.3002* ME Version

8.x.x.x < 8.1.72.3002*

The following SQL queries target my vulnerable systems.

--Intel SA-00075

SELECT vc.Name

,hw.Model

,vpro.[FWVersion]

, Right(vpro.FWVersion,4) as Build

FROM vComputer vc

left join [Symantec_CMDB].[dbo].[Inv_vPro] vpro on vpro._ResourceGuid = vc.Guid

left join vHWComputerSystem hw on hw._ResourceGuid = vc.Guid

where

(

vpro.FWVersion like '6%'

or vpro.FWVersion like '7%'

or vpro.FWVersion like '8%'

or vpro.FWVersion like '9%'

or vpro.FWVersion like '10%'

or vpro.FWVersion like '11%'

)

and Right(vpro.FWVersion,4) < 3000

--Intel SA-00086

SELECT vc.Name

,vc.[OS Name]

,hw.Model

,vpro.[FWVersion]

FROM vComputer vc

left join [Symantec_CMDB].[dbo].[Inv_vPro] vpro on vpro._ResourceGuid = vc.Guid

left join vHWComputerSystem hw on hw._ResourceGuid = vc.Guid

where vc.IsManaged = 1

and

(

( vpro.FWVersion like '11%' and Right(vpro.FWVersion,4) < 3000)

or

(vpro.FWVersion between '10.0.0.0' and '10.0.56.3001')

or

(vpro.FWVersion between '9.5.0.0' and '9.5.61.3011')

or

(vpro.FWVersion between '9.0.0.0' and '9.1.42.3001')

or

(vpro.FWVersion between '8.0.0.0' and '8.1.72.3001')

or

(vpro.FWVersion like '7%' and (vpro.AMTSKU = 'Intel(R) Full AMT Manageability' or vpro.AMTSKU = 'Full AMT Manageability'))

or

(vpro.FWVersion like '6%' and (vpro.AMTSKU = 'Intel(R) Full AMT Manageability' or vpro.AMTSKU = 'Full AMT Manageability'))

)

Of course your database may look differently but you get the ideas.

As of the detection tools for SA-00075 and SA-00086 I am not going to use them.

For me the subject can be closed.

Thanks

Tomasz

0 Kudos
idata
Employee
1,570 Views

Hi Tomasz,

 

 

This looks really good and hopefully others can use this also. Thank you for your contributions here and it was a pleasure meeting with you.

 

 

Regards,

 

Michael
0 Kudos
NPife
Beginner
1,570 Views

Hi Michael. Of course, here you go:

1-Dell Optiplex 3050's, once the firmware update has already been run. We're using BIOS version 1.7.4 to patch the optiplex's.

2-Windows 10, version 1607 (The anniversary update)

3-I'm using a PDQ deploy package which simply runs "Intel-SA-00086-console.exe -c" using a service account which has local admin on my workstations.

0 Kudos
idata
Employee
1,577 Views

Hi NickPifer86,

 

 

I apologize for asking you to do this. I would for you but I do not have your contact information. Would like to get the log file that is created when you run the tool....the .htm file created in the directory you run the tool from, however, I do not know your comfort level of posting that file on a public forum, so if you are uncomfortable, would you mind opening a ticket on our support site here:

 

 

https://www.intel.com/content/www/us/en/support/contact-support.html# @17

 

 

You can send me a personal message to let me know your ticket number...

 

 

Regards,

 

Michael
0 Kudos
Reply