Would be great to have a script to gather back reports of what machines may be vulnerable to the Intel AMT vulnerability. Here’s a link to the Labtech equivalent script someone published on Reddit:
https://www.reddit.com/r/msp/comments/69zxr4/intel_meamt_exploit_nearly_all_of_our_servers_and/
Hi @indieserve
Let us analyze your request and come up with solutions.
Thanks
Hi @indieserve,
By the reference of official guide of Intel https://downloadmirror.intel.com/26755/eng/INTEL-SA-00075%20Detection%20Guide%20rev_1.3.pdf, We have prepared a script that will do the followings,
Steps:
- Downloads the package from the link, https://downloadcenter.intel.com/download/26755
- Installs the package on your endpoint
- Runs the installed program to analyze and collect the report
- Displays the collected reports on the execution log
- Uninstall the tool
- Removes the downloaded packages
Note:
Run the script as System User
Requirements:
Microsoft* .NET Runtime 4.0
Limitation:
Collects only from Microsoft Windows 7, 8, 8.1 or 10
def ecmd(CMD, r=False):
import ctypes
class disable_file_system_redirection:
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
def __enter__(self):
self.old_value = ctypes.c_long()
self.success = self._disable(ctypes.byref(self.old_value))
def __exit__(self, type, value, traceback):
if self.success:
self._revert(self.old_value)
from subprocess import PIPE, Popen
with disable_file_system_redirection():
OBJ = Popen(CMD, shell = True, stdout = PIPE, stderr = PIPE)
out, err = OBJ.communicate()
ret=OBJ.returncode
if r:
return ret
else:
if ret==0:
return out
else:
return ret
import os
import urllib2
url='https://downloadmirror.intel.com/26755/eng/discoveryToolInstaller_1.0.1.39.msi'
fn=url.split('/')[-1]
temp=os.environ['TEMP']
down=urllib2.urlopen(url)
if down.code==200:
fp=os.path.join(temp, fn)
with open(fp, 'wb') as wr:
wr.write(down.read())
if os.path.isfile(fp):
inst=ecmd('msiexec /i "%s" /qn'%fp, True)
if inst==0:
## print 'installed'
if 'PROGRAMFILES(X86)' in os.environ.keys():
## print 'x64'
pf=os.path.join(os.environ['PROGRAMFILES(X86)'], 'Intel','Intel-SA-00075 Discovery Tool','Windows','Intel-SA-00075-console.exe')
else:
## print 'x86'
pf=os.path.join(os.environ['PROGRAMFILES'], 'Intel','Intel-SA-00075 Discovery Tool','Windows','Intel-SA-00075-console.exe')
print ecmd('"%s" -n -d 0'%pf)
unin=ecmd('msiexec /x "%s" /qn'%fp, True)
if unin==0:
## print 'uninstalled'
os.remove(fp)
else:
print 'error on uninstallation', unin
else:
print 'error on installation', inst
Script to Import:
Sample Output:
Additional Information for your understanding of the output [Copied from the Guide given above]:
- Vulnerable: The system has a vulnerable manageability firmware version, firmware needs to be updated
- Not Vulnerable: The system meets the “Not Vulnerable” criteria described in the Identifying vulnerable systems using the INTEL-SA-00075 Discovery Tool section of the document.
- Not Vulnerable (verify configuration): The system has the firmware with the fix for INTEL-SA-00075, but if the system was provisioned prior to the firmware update, an attacker using the known vulnerability may have changed the manageability configuration. There is a limited amount of verification that can be done through reviewing the Intel manageability SKU audit log. A full unprovision, reprovision of the manageability SKU will remove unauthorized configuration settings.
- Check With OEM: The information in the SMBIOS from the OEM shows a manageability SKU, but the Discovery Tool did not receive a response when requesting detailed data from your computer. This may be caused by a missing Management Engine interface driver. Consult your OEM to find out if your computer model is affected.
- Unknown: Discovery Tool did not receive a valid response when requesting hardware inventory data from your computer. Consult your OEM to find out if your computer model is affected
For any clarification, please let us know as soon as possible.
Thank you.
20170512-Intel-AMT-vulnerability-Script-Intel-SA-00075.json (3.06 KB)