Running the Intel Meltdown Detection Tool

(Update: 1/5/2018 9:51AM — By the time I finished this entry, both Microsoft and US-CERT removed their recommendation that this was actually a detection tool for Meltdown/Spectre. It goes without saying, a number of people are running in circles about this situation. Including myself. As the community gets a better hold on this issue, I will continue to provide updates as I get them)

All the reading that I’ve been doing over the past 2 days left me with one question? What can I do to protect myself? All the talk has been updating software but that isn't enough. We’re talking about a vulnerability in hardware. Patching software is simply a band-aid to a hardware issue.

US-CERT provided a critical update on the situation.

For those of you not familiar with US-CERT, I recommend you get familiar.

Start by visiting and subscribing to their email alerts. “US-CERT strives for a safer, stronger Internet for all Americans by responding to major incidents, analyzing threats, and exchanging critical cybersecurity information with trusted partners around the world.”

Their word’s not mine.

Lets cut to the chase.

I received an alert from US-CERT about the Meltdown/Spectre issue. Within the email they provided and email to a Detection/Mitigation Tool. Here I am going to guide you through the process

Proof US-CERT recommended Intel-SA-00075. This recommendation no longer exists on their website and there is no reference to it being removed

STOP HERE: If you plan on following along and you are using any form of Whole Disk Encryption (i.e. BitLocker, PGP WDE) ensure you have your recovery key on hand, as you will be required to use it after updating your BIOS

  1. Visit the following link: INTEL-SA-00075 Detection and Mitigation Tool (Windows)
  2. UnZip the contents and run Intel-SA-00075 Detection and Mitigation Tool.msi
  3. This will install to the following directory: C:\Program Files (x86)\Intel\Intel-SA-00075 Detection and Mitigation Tool
  4. Run Intel-SA-00075-gui.exe

Running this program will let you know if you current system is vulnerable.

We ran this on a Dell E7450. Our system was vulnerable.

Time to mitigate this.

Intel recommends that you first use this Detection and Mitigation tool to “unprovision the Intel manageability SKU to address the network privilege escalation vulnerability”

5. Open a command prompt, navigate to the directory where the detection tool extracts to and enter the following command.

Once this is complete it is recommended to update your BIOS pending your manufacturer has a new one released.

This is where it got confusing. So follow along:

The US-CERT Alert lead me to the Intel-SA0075 Detection and Mitigation Tool.

That tool’s website lead me to Intel’s Public Security Advisory Page which provides more detail on the issue.

There I located a link to Dell’s response to Intel Security Advisory.

They provided a PDF of all workstation and server models that have a updated version of the BIOS to address this issue.

Within the PDF, I located my laptop’s make and model for (Latitude E7450) and discovered that BIOS update A16 contained firmware version mitigated the issue

Do you feel incepted yet?

6. After downloading the firmware its finally time to update my BIOS

Below, you can see here I am going from BIOS A03 to A16.

Most importantly you can see my Intel Management Engine going from v10.0.33.1012 to v10.0.55.3000

Per Intel’s Detection and Mitigation guide, any firmware with a build value less than 3000 is vulnerable. The fact that my processor SKU is Intel Full AMT Manageability AND firmware version the detection tool deemed me vulnerable.

Clicking OK my BIOS updated and prompted for a reboot

You can see here, the update is flashing and updating

After completing the update I was met with a not so pleasant surprise…..

Since I am manipulating the hardware on my PC, BitLocker no longer trusts my unlock pin. It is basically ensuring that I am not trying to bypass the protection. After freaking out for 1.5sec, I remembered that my recover key is stored in AirWatch, my Mobile Device Management Platform.

After retrieving the key from AirWatch for my device, I completed the reboot and was back into Windows.

7. To ensure that my hardware has been patched, I ran the Detection and Mitigation tool again (C:\Program Files (x86)\Intel\Intel-SA-00075 Detection and Mitigation Tool\Intel-SA-00075-gui.exe).

I am fixed, but not without some confusion due to the wording.

I hope this was easy enough to follow along.

Here at Think|Stack we are going to be devising a way to script this detection and mitigation tool utilizing our LabTech agent to allow this to run across our client base. Once we get an understanding of what systems are vulnerable, our next step deliver patches while minimizing impact to our clients.