Nate-R
1 Nickel

Optiplex 790, INTEL-SA-00075 Mitigation

Hello all,

I'm looking for a way to patch the INTEL-SA-00075 vulnerability on our Optiplex 790 computers without updating to A19 BIOS, as A18 and A19 break PXE boot. 

I've gone through the steps in the INTEL_SA-00075 Detection and Mitigation Guide, but it's still showing the computers as vulnerable.

I've run the following commands:

Intel-SA-00075-console.exe -Unprovision

Intel-SA-00075-console.exe -DisableCCM

Intel-SA-00075-console.exe -DisableLMS

The output of the above commands now running them a second time to verify they took is (in same order as above):

-Unprovision error: Intel(R) AMT is already unconfigured on this system.

-DisableClientControlMode: This Intel(R) AMT device does not support Client Control mode.

-No Output

After successfully running those and rebooting, this is the output of Intel-SA-00075-console.exe -Discover:

Starting internal MicroLMS.

INTEL-SA-00075 Discovery Tool
Application Version: 1.0.2.116
Scan Date: 2017-07-10 12:29:13

*** Host Computer Information ***
Computer Name: [redacted]
Manufacturer: Dell Inc.
Model: OptiPlex 790
Processor: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
Windows Version: Microsoft Windows 7 Professional

*** ME Information ***
Version: 7.1.70.1198
SKU: Intel(R) Standard Manageability
State: Not Provisioned
Driver installed: True
Control Mode: None
Is CCM Disabled: True
EHBC Enabled: False
LMS state: NotPresent
MicroLMS state: NotPresent

*** Risk Assessment ***
Based on the analysis performed by this tool, this system is vulnerable.
Explanation:
 The detected version of the Management Engine firmware is considered vulnerable
 for INTEL-SA-00075.


If Vulnerable, contact your OEM for support and remediation of this system.

*** For more information ***
Refer to CVE-2017-5689 at:
  nvd.nist.gov/.../CVE-2017-5689

or the Intel security advisory Intel-SA-00075 at:
  security-center.intel.com/advisory.aspx
eid=en-fr

---------------------------------------------------

Any ideas how we can get these computers to "not vulnerable"?

Thanks!

Nate

0 Kudos
1 Reply
Moderator
Moderator

RE: Optiplex 790, INTEL-SA-00075 Mitigation

I have sent this issue to the Desktop L3 team for review. This could take awhile. I have not seen any workarounds from us or customers on this Forum. Until they release a new BIOS, you have to either live with PXE and without INTEL-SA-00075 fix or vice versa.



Social Media Support
#IWork4Dell
Technical Support (Desktops, Monitors, Laptops)
0 Kudos