Security Issue - Intel management Engine (Intel-SA-00086)

Intel has come out with a critical update - Intel-SA-00086

https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

How serious is this?
Is this required for users who are using wired connections or
users who are connecting wirelessly need be concerned
what is the best way to find out the type of processors in an organization and the best way to implement this.

Thank you.
cgeorgeisaacAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Hi.

Honestly, if you don't understand Intel's documentation, best would be to just use the test tool and if if finds your system is vulnerable, just install the patch. The intel ME is a very, very complicated matter, because intel does not offer documentation for it. But yes, it is dangerous, if you are affected.

If you need to test a whole network, I can offer a script for that.
1
cgeorgeisaacAuthor Commented:
Thanks for your prompt reply McKnife. Would really appreciate if you could share that script.
0
McKnifeCommented:
I will send me a reminder to my office and offer it within 12 hours. It uses the command line, so you can use is as a startup script that computers execute at boot time.
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

cgeorgeisaacAuthor Commented:
Sounds good.  If I may ask, do you have similar script that can push out the 2 patches released by Intel - the FW and Driver in my  network.
0
McKnifeCommented:
Yes, I have, but that will only work for certain hardware in my office and not in general. But it will give you an idea - will share as well.
0
McKnifeCommented:
Ok, download https://downloadcenter.intel.com/downloads/eula/27150/Intel-SA-00086-Detection-Tool?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F27150%2Feng%2FSA00086_Windows.zip and extract it to \\server\share, so that
dir \\server\share should be 

Open in new window

11/27/2017  10:20 AM    <DIR>          .
11/27/2017  10:20 AM    <DIR>          ..
11/24/2017  06:08 PM    <DIR>          DiscoveryTool
11/24/2017  06:08 PM    <DIR>          DiscoveryTool.AppPackage
11/24/2017  06:09 PM    <DIR>          DiscoveryTool.GUI
11/24/2017  06:09 PM    <DIR>          Documents
Then add the following lines to your domain startup script:
net use x: \\server\share
x:\DiscoveryTool\Intel-SA-00086-console.exe
rem This will analyse the machine and create an outputfile on that share in DiscoveryTool named SA-00086-%computername%*.xml
rem Now you will need to look at the output to see if you are affected.
findstr x:\DiscoveryTool\SA-00086-%computername%*.xml /c:"errortolookfor_language_dependent" && echo>x:\%computername%.txt
net use x: /delete

Open in new window

ATTENTION: "errortolookfor_language_dependent" needs to be the correct one for your language. For english: "This system is not vulnerable"
Result: \\server\share will eventually hold text files named like the affected (=vulnerable) computers.

Now for patching: you need to get the new firmware forthe intel ME of  your computer model and install it. Example: you have a setup.bat that installs it lying on \\server\share. Call it like this, again from that startup script:
if exist \\server\share\%computername%.txt do \\server\share\setup.bat

Open in new window

This will of course need to be the right update for your model, so you might need to use different scripts that determine the model, first.

And please note: if during the ME update the machine gets shutdown, the firmware might not install correctly which could render the intel ME defective! The update process is very quick, less than 1 minute.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cgeorgeisaacAuthor Commented:
Thank you so much.  Highly appreciated.
0
McKnifeCommented:
You are welcome. Feel free to ask for further advice.
0
McKnifeCommented:
Edit: The english string to look for is of course "This system is vulnerable". Sorry for that and please verify it.
0
cgeorgeisaacAuthor Commented:
Will do. Thanks once again.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.