Infineon TPM Vulnerability Report using SCCM (CVE-2017-15361)

This weekend, I listened to Security Now's KRACKing WiFi podcast Episode 633 where they discussed the TPM vulnerability. Finding out exactly what to look for was tedious. I finally ran across Lode Vanstechelman's blog entry that told exactly what to look for. The only thing it does not address is using SCCM to find vulnerable systems. Since you are looking for specific TPM manufacturer IDs and Versions, SCCM is a great tool to find the systems across a large network.

As listed on Lode's site, you are looking for Manufacturer ID 1229346816. If that ID is present, then the following versions are affected:

• 4.00 to 4.33
• 4.40 to 4.42
• 5.00 to 5.61
• 6.00 to 6.42
• 7.00 to 7.61
• 133.00 to 133.32

NOTE: The firm I work at did not have any systems that met the manufacturer ID criteria. The WQL below is written without the ability to test it. Treat it as a template. I would appreciate if you could leave feedback on whether it needs to be modified or not.

Here is the WQL query:

 select SMS_R_System.Name, SMS_G_System_TPM.ManufacturerId, SMS_G_System_TPM.ManufacturerVersion from SMS_R_System inner join SMS_G_System_TPM on SMS_G_System_TPM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_TPM.ManufacturerId = 1096043852 and ((SMS_G_System_TPM.ManufacturerVersion >= "4" and SMS_G_System_TPM.ManufacturerVersion <= "4.33") or (SMS_G_System_TPM.ManufacturerVersion >= "4.40" and SMS_G_System_TPM.ManufacturerVersion <= "4.42") or (SMS_G_System_TPM.ManufacturerVersion >= "5" and SMS_G_System_TPM.ManufacturerVersion <= "5.61") or (SMS_G_System_TPM.ManufacturerVersion >= "6" and SMS_G_System_TPM.ManufacturerVersion <= "6.42") or (SMS_G_System_TPM.ManufacturerVersion >= "7" and SMS_G_System_TPM.ManufacturerVersion <= "7.61") or (SMS_G_System_TPM.ManufacturerVersion >= "133" and SMS_G_System_TPM.ManufacturerVersion <= "133.32")) order by SMS_G_System_TPM.ManufacturerId  

Read More

SCCM and MDT Master Kill Switch

With the advent of mass deployment errors such Emory University and CommBank, there needs to be a master kill switch. I also read several months ago about a University in one of the Scandinavian countries that did the same thing. The last two years at Microsoft Ignite, I have also talked to SCCM professionals who experienced the same thing, one in Oklahoma at an oil company and another in Michigan at a financial services company. The last company with more than 100,000 systems abandoned SCCM for imaging purposes and went to MDT to assure this would never happen again.

Over the past three years, I have contemplated a new method for resolving this. At first, I started writing a tool that would shut down all pertinent services on machines such as windows installer and would kill certain task sequences, along with several other things. While having partially written this, a much easier solution came to my mind. This solution is very basic but is also most effective. 

I also want to point out one thing here. My solution does not compete with Adaptiva's. Adaptiva has a much more robust solution, but if you choose to not use their solution, this solution can do a good job at stopping an image or even an application from installing. 

The solution I have come up with uses a simple text file. In the task sequence list, you will want this to be before the system partitions are wiped. I took a screenshot of this in MDT, which you obviously would not need this fuse unless you have a team that images machines and you want the process to stop right now. In SCCM, you would make sure it is before the system reboots into WinPE to wipe the partitions.

As you can see from the pic, I used a command line task sequence. I used a PowerShell one-liner to test if the file is present. If it is not present, then it returns an error code 1. This error code kills the build.

powershell.exe -command "&{if ((Test-path <Directory>\BUILDFUSE\BUILDFUSE) -eq $false) {Exit 1}}"

The file I created is an empty text file which I removed the .TXT extension.

When I started my image, the picture below shows what happened when the file was not present.

This could also be incorporated into a software deployment in the event you accidentally deploy an application and realize it needs to stop NOW! If you deploy apps like I do using script files (PowerShell), you could add a line in the script to check for the file before proceeding. This would kill the installation if it has started, but not reached the point of installation yet.

It is obvious that if the admin does not realize there was a mistake made, the image will continue.

Read More

Conditional Task Sequence Reboot in SCCM and MDT

Recently, I built and published the Dell driver update script that may or may not require a reboot. I instituted the script as a task sequence in MDT and then made the following task sequence a reboot. Thinking about it, the reboot may not be required and therefore that would be a waste of time. To get around this, I decided to investigate a conditional reboot.

In order to institute this, I used the standard Restart Computer task sequence and I added conditional parameters to the Options tab shown below.

Here is a screenshot of each of the three keys:

I have tested this by injecting the specified registry keys and these work great. One thing you will encounter when creating these to test just for the existence of the key without a value is a requirement for a value as shown below. I entered a blank space in that field and it worked.

There is one additional attribute to look at and that is a pending reboot via the configuration manager client. It is the following:

(([wmiclass]"\\.\root\ccm\ClientSDK:CCM_ClientUtilities").DetermineIfRebootPending()).RebootPending

So far, I have not been able to get this incorporated as a condition using a WQL query. Apparently, you can only use WQL for the class root\cimv2 and no others. I am likely going to have to create an additional task sequence that creates an MDT/SCCM variable with a boolean value using PowerShell. That is on my list.

Read More

Trusted Sites Report

Recently, we had to add a new trusted site to the trusted sites GPO. As you may know, if the GPO contains a lot of trusted sites, it can be cumbersome to determine if a site is in there. I wrote this PowerShell script that will generate a report listing all trusted sites. This script will grab both user and local machine based trusted sites. It separates those in the report. The report is displayed on the screen with the option to write it to a text file by specifying the FileOutput parameter switch.

You can download the script from my GitHub site located here.

 <#  
      .SYNOPSIS  
           Trusted Sites Report  
        
      .DESCRIPTION  
           This script will retrieve a list of trusted sites pushed out via GPO and write the list to a text file in the same directory as the script.  
        
      .PARAMETER FileOutput  
           Specifies to write output to a file  
        
      .PARAMETER FileName  
           Name of the file to write the output to  
        
      .NOTES  
           ===========================================================================  
           Created with:    SAPIEN Technologies, Inc., PowerShell Studio 2017 v5.4.143  
           Created on:      10/3/2017 2:23 PM  
           Created by:      Mick Pletcher  
           Filename:        TrustedSitesReport.ps1  
           ===========================================================================  
 #>  
 [CmdletBinding()]  
 param  
 (  
      [switch]$FileOutput,  
      [ValidateNotNullOrEmpty()][string]$FileName = 'TrustedSitesReport.txt'  
 )  
   
 function Get-RelativePath {  
 <#  
      .SYNOPSIS  
           Get the relative path  
        
      .DESCRIPTION  
           Returns the location of the currently running PowerShell script  
        
      .NOTES  
           Additional information about the function.  
 #>  
        
      [CmdletBinding()][OutputType([string])]  
      param ()  
        
      $Path = (split-path $SCRIPT:MyInvocation.MyCommand.Path -parent) + "\"  
      Return $Path  
 }  
   
 #User based trusted sites  
 $HKCU = $(get-item "HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey" -ErrorAction SilentlyContinue).property | Sort-Object  
 #Local machines based trusted sites  
 $HKLM = $(get-item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey" -ErrorAction SilentlyContinue).property | Sort-Object  
 #Get the location where this script is being executed from  
 $RelativePath = Get-RelativePath  
 #Define the path to the output file  
 $File = $RelativePath + "TrustedSitesReport.txt"  
 #Delete the output file if it exists  
 If ((Test-Path $File) -eq $true) {  
      Remove-Item -Path $File -Force  
 }  
 #Create output file  
 New-Item -Path $File -ItemType File -Force  
 #Add HKCU trusted sites to the output file if they exist  
 If ($HKCU -ne $null) {  
      #Create Screen Header  
      "HKEY_CURRENT_USERS" | Out-File -FilePath $File -Append  
      #Display to the screen  
      $HKCU  
      If ($FileOutput.IsPresent) {  
           $HKCU | Out-File -FilePath $File -Append  
      }  
      #Input seperator"   
      " "| Out-File -FilePath $File -Append  
 }  
 #Add HKLM trusted sites to the output file if they exist  
 If ($HKLM -ne $null) {  
      #Create Screen Header  
      "HKEY_LOCAL_MACHINE" | Out-File -FilePath $File -Append  
      #Display to the screen  
      $HKLM  
      If ($FileOutput.IsPresent) {  
           $HKLM | Out-File -FilePath $File -Append  
      }  
 }  
   

Read More