Patch Management Solution

Symantec is offering us a bulletin called: INTEL-SA-00075. Does anyone have any idea, specifically, what this bulletin does? Are there prerequisites? This article: https://support.symantec.com/en_US/article.TECH246333.html suggests we may need Python installed?

Scott

Good question because it does not appear to be doing anything. I tested on a lab machine and have been at "Installation in progress" for an hour and a half now. 

According to Intel its only a "detection tool" for the AMT vulnerability, not a fix or patch. Ashame.

https://downloadcenter.intel.com/download/26755/INTEL-SA-00075-Detection-Guide

So if it's a detection tool, it the context of patch management, what does it get us?

Looks like I may have to open a ticket with Symantec for clarification on this.  :-(

If you find out any more information, please let us know. It is only showing as applicable for 11 PCs here, though we do not usually have python installed on our PCs.

Hi Scoot!

Please, could you keep us informed about that? I have only one applicable computer in my environment.

Regards,

Hi Scott,

Any update yet? I am showing over 3000 applicable machines. From what I have read the only fix is a firmware update. We are a Lenovo environment and have lots of different models. I am not sure what the best approach is to push out multiple firmware updates to over 3000 machines and also not kill the bandwidth at our branches. I was hoping for one easy patch, but looks like that is not the case.

When you read the INTEL - SA-00075 Mitigation Guide somewhere in the linked advisory Intel says: Either disable it, or update your firmware.

What i have seen is that the "patch" is just doing the commands from the advisory to disable it (if the firmware version marks the client as vulnerable).

- Unprovisioning clients

- Stop and remove services (LMS/UNS)

See: http://www.intel.com/content/www/us/en/architecture-and-technology/intel-amt-vulnerability-announcement.html

("From Intel" on top has the link to the mitigation guide)

Mistral,

So have you confirmed that the patch is indeed Unprvisioning and stopping/removing LMS? What testing have you done and did you notice any problems?

Hello Scott,

Please review the updated link on TECH246333 directing to INFO4401.

Please post if there are any remaining questions or concerns.

Thank you,
Joshua

Sorry for the late answer - somehow I rarely get any more notifications

I had only one affected client... and the run failed.

I found the batch (that was generated at runtime?) and this weird commands.

After reading the Mitigation Guide i saw what it tried to do ... it were exaclty the commands to unprovision the client and disable the services.

I did run it manually to find out what failed, but it worked.

So I don't really know where exactly the batch failed - maybe it was just an unexpected return code.

I didn't give it a second try.

Joshua,

Thanks for the information. That was exactly what I was looking for. 

Does anyone know if SEP blocks this vulnerability at all?

For my understanding this attack would run out of band.

Direct communication with the firmware (even having it's own IP).

That is how I understood the exploit as well, but thought I would ask. The reason I ask is because I had seen that there is an issue with some clients failing to execute the patch and that Symantec is looking into the reason why. I was not sure if we should hold off on the patch until Symantec figures out a fix for the patch or if we are being covered by SEP. If we are not covered by SEP then I will want to deploy the patch regardless.