23 October 2017

Infineon TPM Vulnerability Report using SCCM (CVE-2017-15361)

This weekend, I listened to Security Now's KRACKing WiFi podcast Episode 633 where they discussed the TPM vulnerability. Finding out exactly what to look for was tedious. I finally ran across Lode Vanstechelman's blog entry that told exactly what to look for. The only thing it does not address is using SCCM to find vulnerable systems. Since you are looking for specific TPM manufacturer IDs and Versions, SCCM is a great tool to find the systems across a large network.

As listed on Lode's site, you are looking for Manufacturer ID 1229346816. If that ID is present, then the following versions are affected:

  • 4.00 to 4.33
  • 4.40 to 4.42
  • 5.00 to 5.61
  • 6.00 to 6.42
  • 7.00 to 7.61
  • 133.00 to 133.32
NOTE: The firm I work at did not have any systems that met the manufacturer ID criteria. The WQL below is written without the ability to test it. Treat it as a template. I would appreciate if you could leave feedback on whether it needs to be modified or not.

Here is the WQL query:

 select SMS_R_System.Name, SMS_G_System_TPM.ManufacturerId, SMS_G_System_TPM.ManufacturerVersion from SMS_R_System inner join SMS_G_System_TPM on SMS_G_System_TPM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_TPM.ManufacturerId = 1096043852 and ((SMS_G_System_TPM.ManufacturerVersion >= "4" and SMS_G_System_TPM.ManufacturerVersion <= "4.33") or (SMS_G_System_TPM.ManufacturerVersion >= "4.40" and SMS_G_System_TPM.ManufacturerVersion <= "4.42") or (SMS_G_System_TPM.ManufacturerVersion >= "5" and SMS_G_System_TPM.ManufacturerVersion <= "5.61") or (SMS_G_System_TPM.ManufacturerVersion >= "6" and SMS_G_System_TPM.ManufacturerVersion <= "6.42") or (SMS_G_System_TPM.ManufacturerVersion >= "7" and SMS_G_System_TPM.ManufacturerVersion <= "7.61") or (SMS_G_System_TPM.ManufacturerVersion >= "133" and SMS_G_System_TPM.ManufacturerVersion <= "133.32")) order by SMS_G_System_TPM.ManufacturerId  

5 comments:

  1. select fc.netbios_name0, fc.user_name0, sys.ManufacturerId0,
    sys.ManufacturerVersion0 FROM v_GS_TPM sys
    inner join v_r_system fc on sys.resourceid=fc.resourceid
    where ManufacturerId0 like '1229346816'

    ReplyDelete
  2. I realize this is an old post, but found it interesting. I added the WQL code to a query in SCCM and it came back empty so I assume our systems are affected, but I'm still relatively new to SCCM. Is a query the right way to use this code?

    ReplyDelete
  3. Hey Mick
    Thought I'd link a post on behalf of Lenovo on a possible way to solve this for Think products.

    https://thinkdeploy.blogspot.com/2017/11/patching-ifx-tpm-vulnerability-on-think.html

    Thanks for all of your contributions to the community!

    ReplyDelete