Security Issue - Intel management Engine (Intel-SA-00086)

Intel has come out with a critical update - Intel-SA-00086

https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

How serious is this?
Is this required for users who are using wired connections or
users who are connecting wirelessly need be concerned
what is the best way to find out the type of processors in an organization and the best way to implement this.

Thank you.
cgeorgeisaacAsked:
Who is Participating?
 
McKnifeConnect With a Mentor Commented:
Ok, download https://downloadcenter.intel.com/downloads/eula/27150/Intel-SA-00086-Detection-Tool?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F27150%2Feng%2FSA00086_Windows.zip and extract it to \\server\share, so that
dir \\server\share should be 

Open in new window

11/27/2017  10:20 AM    <DIR>          .
11/27/2017  10:20 AM    <DIR>          ..
11/24/2017  06:08 PM    <DIR>          DiscoveryTool
11/24/2017  06:08 PM    <DIR>          DiscoveryTool.AppPackage
11/24/2017  06:09 PM    <DIR>          DiscoveryTool.GUI
11/24/2017  06:09 PM    <DIR>          Documents
Then add the following lines to your domain startup script:
net use x: \\server\share
x:\DiscoveryTool\Intel-SA-00086-console.exe
rem This will analyse the machine and create an outputfile on that share in DiscoveryTool named SA-00086-%computername%*.xml
rem Now you will need to look at the output to see if you are affected.
findstr x:\DiscoveryTool\SA-00086-%computername%*.xml /c:"errortolookfor_language_dependent" && echo>x:\%computername%.txt
net use x: /delete

Open in new window

ATTENTION: "errortolookfor_language_dependent" needs to be the correct one for your language. For english: "This system is not vulnerable"
Result: \\server\share will eventually hold text files named like the affected (=vulnerable) computers.

Now for patching: you need to get the new firmware forthe intel ME of  your computer model and install it. Example: you have a setup.bat that installs it lying on \\server\share. Call it like this, again from that startup script:
if exist \\server\share\%computername%.txt do \\server\share\setup.bat

Open in new window

This will of course need to be the right update for your model, so you might need to use different scripts that determine the model, first.

And please note: if during the ME update the machine gets shutdown, the firmware might not install correctly which could render the intel ME defective! The update process is very quick, less than 1 minute.
0
 
McKnifeCommented:
Hi.

Honestly, if you don't understand Intel's documentation, best would be to just use the test tool and if if finds your system is vulnerable, just install the patch. The intel ME is a very, very complicated matter, because intel does not offer documentation for it. But yes, it is dangerous, if you are affected.

If you need to test a whole network, I can offer a script for that.
1
 
cgeorgeisaacAuthor Commented:
Thanks for your prompt reply McKnife. Would really appreciate if you could share that script.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
McKnifeCommented:
I will send me a reminder to my office and offer it within 12 hours. It uses the command line, so you can use is as a startup script that computers execute at boot time.
0
 
cgeorgeisaacAuthor Commented:
Sounds good.  If I may ask, do you have similar script that can push out the 2 patches released by Intel - the FW and Driver in my  network.
0
 
McKnifeCommented:
Yes, I have, but that will only work for certain hardware in my office and not in general. But it will give you an idea - will share as well.
0
 
cgeorgeisaacAuthor Commented:
Thank you so much.  Highly appreciated.
0
 
McKnifeCommented:
You are welcome. Feel free to ask for further advice.
0
 
McKnifeCommented:
Edit: The english string to look for is of course "This system is vulnerable". Sorry for that and please verify it.
0
 
cgeorgeisaacAuthor Commented:
Will do. Thanks once again.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.