Scribd
Upload
101 views

Intel (R) CSME Version Detection Tool User Guide

Uploaded by

tfnkunrhklmsdezmif
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
101 views

Intel (R) CSME Version Detection Tool User Guide

Uploaded by

tfnkunrhklmsdezmif
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

Intel® CSME Version Detection

Tool

User Guide

November 2023
Introduction

You may not use or facilitate the use of this document in connection with any infringement or other legal analysis concerning
Intel products described herein. You agree to grant Intel a non-exclusive, royalty-free license to any patent claim thereafter
drafted which includes subject matter disclosed herein.

No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document.
Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service
activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with
your system manufacturer or retailer or learn more at intel.com.

Intel technologies may require enabled hardware, specific software, or services activation. Check with your system manufacturer
or retailer.

The products described may contain design defects or errors known as errata which may cause the product to deviate from
published specifications. Current characterized errata are available on request.

Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness
for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or
usage in trade.

All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel
product specifications and roadmaps.

Copies of documents which have an order number and are referenced in this document may be obtained by calling 1-800-548-
4725 or visit www.intel.com/design/literature.htm.

Intel, and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
*Other names and brands may be claimed as the property of others.

© 2020-2023 Intel Corporation. All rights reserved

2 User Guide
Introduction

Contents
1 Introduction ...................................................................................................... 5
2 Using the Intel® CSME Version Detection Tool ...................................................... 7
2.1 System Requirements ............................................................................. 8
2.2 Installing the Tool – Linux* ...................................................................... 8
2.3 Running the Linux* Console Tool .............................................................. 8
2.4 Installing the Tool – Windows* ................................................................. 8
2.5 Running the GUI Tool .............................................................................. 9
2.6 Running the Windows* Console Tool ....................................................... 12

3 Results ........................................................................................................... 15
3.1 Registry Location .................................................................................. 15
3.2 XML .................................................................................................... 15
3.3 Console Return Codes ........................................................................... 16
3.4 Console Output Values .......................................................................... 16

4 Troubleshooting Signature Validation Issues ....................................................... 18

User Guide 3
Introduction

Table of Figures
Figure 1: Output example for a vulnerable system ............................................... 10
Figure 2: Output example for system that is not vulnerable .................................. 10
Figure 3: Output example for system not supported by the tool ............................. 11
Figure 4: Windows* Console Tool Options ........................................................... 12
Figure 5: Console Output Example ..................................................................... 13
Figure 6: Risk Assessment Logic ........................................................................ 14
Figure 7: Console Return Codes......................................................................... 16
Figure 8: Console Output Values ........................................................................ 17

4 User Guide
Introduction

1 Introduction
This document will guide you through multiple processes to detect the
following security vulnerabilities:

• SA-00086

• SA-00125

• SA-00213

• SA-00241

• SA-00295

• SA-00404

• SA-00391

• SA-00459

• SA-00470

• SA-00610

• SA-00613

• SA-00783

• SA-00923

For more information, refer to the relevant Intel Security Advisory list
at https://www.intel.com/content/www/us/en/support/articles/000031784/technologi
es.html.

If you are a user of a single Windows* PC and you wish to determine


its status:
We have provided the Intel® CSME Version Detection Tool GUI
application
(CSME-Version-Detection-Tool.exe) for local analysis of a single or standalone
Windows* system.

If you want to determine the status for multiple Windows* machines:


We have provided the Intel® CSME Version Detection Tool Console
application (CSME-Version-Detection-Tool-console.exe). This tool can perform
detection and write its findings to the local Windows* Registry, and
(optionally) to an XML and/or .txt file, for subsequent collection and analysis.

If you are a user of a Linux* system and you wish to determine its
status:

User Guide 5
Introduction

We have provided the Intel® CSME Version Detection Tool Console


application (intel_csme_version_detection_tool) for analysis of Linux*
systems.

Note: The Detection Tool does not support MacOS.

6 User Guide
Using the Intel® CSME Version Detection Tool

2 Using the Intel® CSME Version


Detection Tool

What is the Intel® CSME Version Detection Tool?

The Intel® CSME Version Detection Tool can be used by local users or by
an IT administrator to determine whether a system is vulnerable to the
exploits documented in one or more of the following security advisories:

• SA-00086

• SA-00125

• SA-00213

• SA-00241

• SA-00295

• SA-00404

• SA-00391

• SA-00459

• SA-00470

• SA-00610

• SA-00613

• SA-00783

• SA-00923

The Detection Tool is offered in two versions for Windows* and in a single
version for Linux*:

• For Windows* there is an interactive GUI tool that retrieves the device’s
hardware and software details and provides an indication of risk assessment.
This version is recommended for evaluating a single local Windows* system.

• The second version, for Linux* and Windows*, is a console executable that
can perform the risk assessment and optionally save the detection information
to the Windows* registry (Windows* only), to an XML file, and/or to a text
file. This version is more convenient for IT administrators who need to perform
bulk detection operations across multiple machines.

User Guide 7
Using the Intel® CSME Version Detection Tool

The tool is available for download at


https://downloadcenter.intel.com/download/28632.

2.1 System Requirements


Windows*:

• Microsoft* Windows* 7, 8, 8.1, 10 (including 10 S), or 2012 R2 for servers


(x64) (Windows*10 IOT Core is not supported)

• .Net version 4.5 or later

• Intel® Management Engine Interface (Intel® MEI) driver

• Administration privileges

Linux*:
• Ubuntu* LTS 16.04 (for client), Redhat 7.2 (for Server)

• Python* 2.6.6

• Local operating system administrative access

2.2 Installing the Tool – Linux*


Unzip the package into a directory.

Ensure that Execute permission is set on the following files:

- intel_csme_version_detection_tool

2.3 Running the Linux* Console Tool


From the installation directory, if Python 2.x is installed, execute the command:
sudo ./ intel_csme_version_detection_tool

Note: If Python 3.x (and not Python 2.x) is installed, execute the command:
sudo python3 intel_csme_version_detection_tool

Note: The Linux* tool accepts no command line options.

2.4 Installing the Tool – Windows*


Unzip the downloaded package into a directory.

The console tool can be found in the DiscoveryTool subdirectory. The GUI tool can be

8 User Guide
Using the Intel® CSME Version Detection Tool

found in the DiscoveryTool.GUI directory.

2.5 Running the GUI Tool


Intel-CSME-Detection.exe is designed to run on a single system. The tool outputs
the detection information to the screen.

To run the GUI tool on a Windows system:

• Double-click CSME-Version-Detection-Tool.exe. The tool displays the


platform’s status.

Following is an example of the program’s output when run on a vulnerable


system:

User Guide 9
Using the Intel® CSME Version Detection Tool

Figure 1: Output example for a vulnerable system

Following is an example of the program’s output when run on a system that is not
vulnerable:

Figure 2: Output example for system that is not vulnerable

10 User Guide
Using the Intel® CSME Version Detection Tool

Following is an example of the program’s output when run on a system that is not
supported by the tool:

Figure 3: Output example for system not supported by the tool

Note: *On SPS platforms, the recovery version is displayed in the Intel® ME
Information section.

Note: If the tool displays a “Not Supported” message, and your Intel® ME version is
between 6.x and 10.x, refer to https://downloadcenter.intel.com/download/29057/
for the tool that is applicable for your platform.

User Guide 11
Using the Intel® CSME Version Detection Tool

2.6 Running the Windows* Console Tool


Execute CSME-Version-Detection-Tool-console.exe from a command prompt.

Syntax: CSME-Version-Detection-Tool-console.exe [[option...]]

The following table shows the program’s available options:

Command Line Option Functionality


-n, --noregistry Prevents writing results to the registry
Prevents results from being displayed on the
-c, --noconsole
console
-p <filepath>, Path to the directory in which to store the
--filepath <filepath> output file.
Displays these command line switches and
-h, --help, -?
their functions

Figure 4: Windows* Console Tool Options

12 User Guide
Using the Intel® CSME Version Detection Tool

Following is an example of the CSME-Version-Detection-Tool-console.exe output:

Figure 5: Console Output Example

The following table describes the logic that is used to determine a risk assessment:

User Guide 13
Using the Intel® CSME Version Detection Tool

Message Meaning

• The detected version of the Management Engine firmware is


considered vulnerable for one or more of the following:

• SA-00086

• SA-00125

• SA-00213

• SA-00241

• SA-00295

Vulnerable • SA-00404

• SA-00391

• SA-00459

• SA-00470

• SA-00610

• SA-00613

• SA-00783

• SA-00923

The system meets the “Not Vulnerable” criteria described in


Not
Identifying impacted systems using the Intel-CSME-Detection Detection
Vulnerable
Tool.

May Be Tool could not communicate with the Intel® MEI/TXEI Driver. Platform
Vulnerable vulnerability cannot be ascertained.

The tool did not receive a valid response when requesting hardware inventory
Unknown data from your computer. Contact the system manufacturer for assistance in
determining the vulnerability of this system.

Firmware versions of Intel® ME 3.x thru 10.x, Intel® TXE 1.x thru 2.x and Intel®
Not Server Platform Services 1.x thru 2.x are no longer supported, thus were not
Supported assessed for the vulnerabilities/CVEs listed in these security advisories There is
no new release planned for these versions.

Figure 6: Risk Assessment Logic

14 User Guide
Results

3 Results
The amount of data returned by the Intel-CSME-Detection command depends on
whether the Intel manageability driver stack is loaded onto the system. If the Intel®
Management Engine Interface (Intel® MEI) driver is present, a more verbose set of
data will be displayed. Some of the fields may not be supported by the manufacturer.

3.1 Registry Location


The values from the results table can be found in the following registry key:

HKLM\SOFTWARE\Intel\CSME Version Detection Tool

Under this location, System Status/System Risk contains the vulnerability status
and System Status/System Risk Value contains the application’s return code.

3.2 XML
If you choose to write results to an XML file, that file will be stored in the directory
from which you executed CSME-Version-Detection-Tool-console.exe or in the
path specified by the command line options. The results include information such as
hardware inventory and OS. The filename will have the format
CSME-Version-Detection-Tool-<ComputerName>-<date>-<Time>.xml.

User Guide 15
Results

3.3 Console Return Codes

Number Status Meaning

0 NOTVULNERABLE | STATUS_OK Platform is not vulnerable

Intel® ME driver is not installed


10 HECI_NOT_INSTALLED on the platform. Unable to
determine platform vulnerability.

Error communicating with the


11 HECI_ERROR Intel® ME driver. Unable to
determine platform vulnerability.

100 DISCOVERY_VULNERABLE_NOT_PATCHED Platform is vulnerable.

Platform is not vulnerable, it


101 DISCOVERY_NOT_VULNERABLE_PATCHED
has been patched

This platform is no longer


102 NOT_SUPPORTED supported. No firmware update is
available for security issues.

Unable to determine platform


200 DISCOVERY_UNKNOWN
vulnerability

Figure 7: Console Return Codes

3.4 Console Output Values

Value Location Description

Application
Version of the scanning tool used
Version

Scan Date Date and time of the scan

Computer
Hardware inventory Name of the computer scanned
Name

Computer
Computer’s manufacturer
Manufacturer

Computer
Computer’s model
Model

Processor Computer’s processor model

Engine Intel® ME Firmware information ME, CSME, TXE or SPS

A string value with the full Intel® ME


firmware version number in the
ME Version
following format:
Major.Minor.Hotfix.Build

SVN Firmware Security Version Number

*** Risk
Refer to Figure 6: Risk
Assessment Risk Assessment
Assessment Logic
***

16 User Guide
Results

Figure 8: Console Output Values

User Guide 17
Troubleshooting Signature Validation Issues

4 Troubleshooting Signature
Validation Issues
The Detection tool makes every effort to validate its own authenticity before running.

In the event that the tool cannot validate itself, a message similar to the following is
displayed:

The signature of the file cannot be validated. Please refer to the Intel® CSME Version
Detection Tool user guide for more information.

Note: In case of a validation issue, you should ensure that the latest Root Certificate
update for Windows* has been installed. For more information, refer to
https://support.microsoft.com/en-us/help/931125/how-to-get-a-root-
certificateupdate-for-windows

18 User Guide

You might also like