Detect Microsoft ADV170012 vulnerable machines via Configuration Manager

Microsoft published yesterday a security advisory (ADV170012 -Vulnerability in TPM could allow Security Feature Bypass), that shows a key generation weakness in Infineon’s TPM chip firmware.
To solve the issue we first have to update the firmware of all vulnerable machines, so we have to identify them. As always, ‘Configuration Manager – Hardware Inventory’ can collect the required information.
Ensure you are collecting TPM and BIOS information.

Inventory_TPM

Inventory_BIOS

Based on the available data we can create a query that lists all vulnerable machines by the ManufacturerID and vulnerable TPM firmware version:


select SMS_R_System.Name, SMS_G_System_TPM.ManufacturerId, SMS_G_System_TPM.ManufacturerVersion, SMS_G_System_COMPUTER_SYSTEM.Manufacturer, SMS_G_System_COMPUTER_SYSTEM.Model, SMS_G_System_PC_BIOS.SMBIOSBIOSVersion from SMS_R_System inner join SMS_G_System_TPM on SMS_G_System_TPM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_PC_BIOS on SMS_G_System_PC_BIOS.ResourceId = SMS_R_System.ResourceId where SMS_G_System_TPM.ManufacturerId = 1229346816 and (SMS_G_System_TPM.ManufacturerVersion like "4.%" and (SMS_G_System_TPM.ManufacturerVersion <= "4.33" or SMS_G_System_TPM.ManufacturerVersion >= "40" and SMS_G_System_TPM.ManufacturerVersion <= "42") or SMS_G_System_TPM.ManufacturerVersion like "5.%" and SMS_G_System_TPM.ManufacturerVersion <= "5.61" or SMS_G_System_TPM.ManufacturerVersion like "6.%" and SMS_G_System_TPM.ManufacturerVersion <= "6.42" or SMS_G_System_TPM.ManufacturerVersion like "7.%" and SMS_G_System_TPM.ManufacturerVersion <= "7.61" or SMS_G_System_TPM.ManufacturerVersion like "133.%" and SMS_G_System_TPM.ManufacturerVersion <= "133.32")

After updating the firmware, do not forget to decide if and how to remediate services already configured based on weak keys e.g. BitLocker.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s