This weekend, I listened to Security Now's KRACKing WiFi podcast Episode 633 where they discussed the TPM vulnerability. Finding out exactly what to look for was tedious. I finally ran across Lode Vanstechelman's blog entry that told exactly what to look for. The only thing it does not address is using SCCM to find vulnerable systems. Since you are looking for specific TPM manufacturer IDs and Versions, SCCM is a great tool to find the systems across a large network.
As listed on Lode's site, you are looking for Manufacturer ID 1229346816. If that ID is present, then the following versions are affected:
- 4.00 to 4.33
- 4.40 to 4.42
- 5.00 to 5.61
- 6.00 to 6.42
- 7.00 to 7.61
- 133.00 to 133.32
NOTE: The firm I work at did not have any systems that met the manufacturer ID criteria. The WQL below is written without the ability to test it. Treat it as a template. I would appreciate if you could leave feedback on whether it needs to be modified or not.
Here is the WQL query:
Here is the WQL query:
select SMS_R_System.Name, SMS_G_System_TPM.ManufacturerId, SMS_G_System_TPM.ManufacturerVersion from SMS_R_System inner join SMS_G_System_TPM on SMS_G_System_TPM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_TPM.ManufacturerId = 1096043852 and ((SMS_G_System_TPM.ManufacturerVersion >= "4" and SMS_G_System_TPM.ManufacturerVersion <= "4.33") or (SMS_G_System_TPM.ManufacturerVersion >= "4.40" and SMS_G_System_TPM.ManufacturerVersion <= "4.42") or (SMS_G_System_TPM.ManufacturerVersion >= "5" and SMS_G_System_TPM.ManufacturerVersion <= "5.61") or (SMS_G_System_TPM.ManufacturerVersion >= "6" and SMS_G_System_TPM.ManufacturerVersion <= "6.42") or (SMS_G_System_TPM.ManufacturerVersion >= "7" and SMS_G_System_TPM.ManufacturerVersion <= "7.61") or (SMS_G_System_TPM.ManufacturerVersion >= "133" and SMS_G_System_TPM.ManufacturerVersion <= "133.32")) order by SMS_G_System_TPM.ManufacturerId