Speculative Execution Side-Channel Vulnerabilities Configuration Baseline

This Compliance Settings configuration baseline is used to confirm whether a system has enabled the mitigation needed to protect against the speculative-execution side-channel vulnerabilities described in Microsoft Security Advisories ADV180002, ADV180012, ADV180018, ADV190013.

4.9 Star
6,579 times
Add to favorites
System Center
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question

  • MDS Detection for Non-Vulnerable CPUs
    5 Posts | Last post September 11, 2019
    • Similar to "Darvin S"'s Question before:
      Running Get-SpeculationControlSettings in Version 1.014 against new Intel Xeon Gold 6240 reports:
      BTIHardwarePresent                  : True
      BTIWindowsSupportPresent            : True
      BTIWindowsSupportEnabled            : True
      BTIDisabledBySystemPolicy           : False
      BTIDisabledByNoHardwareSupport      : False
      BTIKernelRetpolineEnabled           : False
      BTIKernelImportOptimizationEnabled  : False
      KVAShadowRequired                   : False
      KVAShadowWindowsSupportPresent      : True
      KVAShadowWindowsSupportEnabled      : False
      KVAShadowPcidEnabled                : False
      SSBDWindowsSupportPresent           : True
      SSBDHardwareVulnerable              : True
      SSBDHardwarePresent                 : True
      SSBDWindowsSupportEnabledSystemWide : True
      L1TFHardwareVulnerable              : False
      L1TFWindowsSupportPresent           : True
      L1TFWindowsSupportEnabled           : False
      L1TFInvalidPteBit                   : 0
      L1DFlushSupported                   : True
      MDSWindowsSupportPresent            : True
      MDSHardwareVulnerable               : False
      MDSWindowsSupportEnabled            : False
      But the baseline reports non-compliant for "MDSWindowsSupportEnabled: False" while "MDSHardwareVulnerable: False". Seems to me like a logic failure for the non-vulnerability regarding MDS too.
      Can we get an update for this?
    • Hello Stefan-Kr
      Can you confirm for me that you are using the latest baseline uploaded on 8/20, Speculative Execution Side-Channel Vulnerabilities_2019.08.07.cab?
    • Hello Yvette,
      yes, confirmed.
    • Hello Yvette,
      is there anything I should provide you to proceed?
      Just to be clear: Get-SpeculationControlSettings in Version 1.0.14 gives for MDS the following result:
      MDSWindowsSupportPresent            : True
      MDSHardwareVulnerable               : False
      MDSWindowsSupportEnabled            : False
      So we should be compliant to this because of "MDSHardwareVulnerable = False" , but your latest Baseline Version 2019.08.07 results in non-compliant because of "MDSWindowsSupportEnabled = False".
    • Hello Stefan-Kr
      I've uploaded a new version of the baseline and we have modified the logic in the MSD CI. Can you give it a try and let us know. Please note that the modified CI is signed with a new cert that needs to be trusted also.
  • Support for i5-8365U
    2 Posts | Last post August 21, 2019
    • Testing this baseline on some new Dell laptop models, it seems to be reporting false negatives of non-compliance.  The "CVE-2017-5754 - Rogue Data Cache Load" for example comes back as non-compliant.  Get-SpeculationControlSettings shows KVAShadowRequired=False, but the CI script thinks it's required. I see there's a hard coded if/then table of model IDs the CI is using to determine whether $kvaShadowRequired=true, however the model ID of the i5-8365U (0x8E) is not in the list.  I suspect there is a similar problem with the "Windows OS support for MDS mitigation is enabled" script.
      Are there any plans to update this baseline anytime soon?
    • Hello Darin
      We have updated the baseline to align with the detection logic in latest version of the SpeculationControl PowerShell module version 1.0.14. Please try the version I've uploaded and let us know.
  • does not run on 2008 and 2008r2 servers
    2 Posts | Last post June 29, 2019
    • These configuration items are set to run on any platform but do not work on 2008 or 2008r2 servers. Please update the configuration items to work on these platforms, or remove the unsupported platforms from the supported platforms checklist. 
      thank you.
    • Hello Dani
      The CIs should run on Windows Server 2008R2. Be sure you have PowerShell 3.0 or higher installed.
  • Clarification on Certificates
    2 Posts | Last post June 29, 2019
    • Following the additional guidance on https://blogs.technet.microsoft.com/configurationmgr/2018/01/08/additional-guidance-to-mitigate-speculative-execution-side-channel-vulnerabilities/ is not yielding the results i'm looking for. I am unable to locate the PSD1 file to extract the cert from. Also, the latest release references TWO certificates, but only one exists in the PSD1 file. Where do I obtain the certificates? 
      Can you provide detailed instructions on how to obtain the certificates so I can deploy to the store?
      Can you provide full pathnames and locations of the script 1.0.14 was successfully installed with install-module.
    • Hello Michael
      Here are steps to install both certificates:
      1.	In the Configuration Manager Console, navigate to “Configuration Item” and open the CI “CVE-2017-5715-Branch Target Injection”, then navigate to “Settings” and open one of them to click “Edit Script”, then copy the whole script to a new ps1 file  e.g. <filename>.ps1.
      2.	Then run following PowerShell commands to export the cert from the script.
      $cer=Get-AuthenticodeSignature .\<filename>.ps1
      Export-Certificate -Cert $cer.SignerCertificate -FilePath .\<filename>.cer
      3.	Install the cert to “Trusted Publishers” store.
      4.	Repeat the steps 1- 3 to install the other cert from any script in CIs “CVE-2018-12126, CVE-2018-12130, CVE-2018-3639, …”
      Best Regards
  • Will the module be updated with ADV190013
    5 Posts | Last post May 31, 2019
    • Are there any plans to include the latest and greatest (ADV190013)? The SpeculationControl module has already been updated to include detection for mitigation:
    • I am waiting for the same as well. Can anyone please confirm if the modules will be added to the baseline ?
    • I am also looking for the ADV190013 variants to be included in this configuration baseline.
      Thank you in advance.
      Bob McCulloch
    • Please update with latest ADV190013 
    • Hi everyone, we are working on updating the baseline for the latest advisory ADV190013. I'll have an update in a few days, we need to test our full matrix.
  • Cant evaluate the baseline due to script not signed error
    1 Posts | Last post December 07, 2018
    • Getting the following error in DCMwmiprovider.log:
      "Script is not signed (Error: 87D00327; Source: CCM"
      Tried setting the execution policy to bypass/remotesigned for currentuser but still no success. Is this related to CI certificates not being trusted ? If yes, then please advise the next course of action. Thank you
  • Import Failure
    2 Posts | Last post October 23, 2018
    • looks pretty awesome, i'd love to be able to get it working in our environment but im getting an error during the import "invalid reference in content" and "the CI contains a missing or invalid CI reference", thats using the latest version of the published baseline...
      running 1802 version of SCCM - any tips/help would be appreciated :)
      Referenced configuration items are not available yet: <MissingReferences><Reference RelationType="2" ModelName="ScopeId_9BF44017-A912-4E27-9D16-EC8C789D8D9C/LogicalName_16df7ae9-3484-436b-9509-d5498b9398af"/><Reference RelationType="2" ModelName="ScopeId_9BF44017-A912-4E27-9D16-EC8C789D8D9C/LogicalName_590f8348-bb8e-4822-9077-5747b831c63f"/><Reference RelationType="2" ModelName="ScopeId_9BF44017-A912-4E27-9D16-EC8C789D8D9C/LogicalName_6c5e6a70-bb8e-4609-bd2f-45f4ca6e1306"/><Reference RelationType="2" ModelName="ScopeId_9BF44017-A912-4E27-9D16-EC8C789D8D9C/LogicalName_89ec82af-ecfd-4948-bef5-6b00c104aeb6"/></MissingReferences>
    • Hello michaelbernard81
      We cannot reproduce this error in our test labs. Can you give some more information about your environment? Have you imported previous versions of this baseline etc.?
  • Script is signed with a expired Certificate
    4 Posts | Last post August 23, 2018
    • Could you please resign the script with a valid certificate? 
      The actual certificate has been expired at 11th august 2018.
    • Hello Stefan
      Since the cert was valid at the time we signed the scripts for the first two CIs (CVE-2017-5715 - Branch target injection and CVE-2017-5754 - Rogue data cache load) things will work.  The second two CIs (CVE-2018-3639 - Speculative store bypass and CVE-2018-3620 - L1 Terminal Fault) are signed with a new cert.
    • Hello Yvette,
      I was requesting a resign with a non-expired certificate, because after importing "ADV180002 - Speculative Execution Side-Channel Vulnerabilities_2018.07.31.cab" at August 15 we got "0x87D00327 Script is not signed" for the SSB checks. We've overlapped with "ADV180002 - Speculative Execution Side-Channel Vulnerabilities_2018.08.15.cab" so I'll try this now with the fingers crossed the error will fixed with that version.
    • Hello Yvette,
      I can confirm, deploying both certificates and using "ADV180002 - Speculative Execution Side-Channel Vulnerabilities_2018.08.15.cab" works flawless.
      Thanks a lot!
  • L1TF/Foreshadow
    2 Posts | Last post August 21, 2018
    • Hi,
      could you update the baseline with the L1TF detection? The SpeculationControl PS Module has already been updated.
      Thanks and regards,
    • Hello Daniel,
      We have published an update to the baseline that includes a new CI with the detection for mitigations for CVE-2018-3620 - L1 Terminal Fault. Please give it a try.
  • CI CVE-2018-3639 requires 32bit script engine?
    2 Posts | Last post August 03, 2018
    • Any idea why CI CVE-2018-3639 runs only with “Run script by using the 32-bit scripting host” enabled, but running fine on 64bit for the other two CIs? CVE-2018-3639 fails with 0x80070001 – Incorrect function.
    • Hello sigurd_ch
      We don't require the 32-bit scripting host for any of the CIs and we tested all the CIs without. Can you give us some details of your environment? PowerShell version, OS version, CM version etc. We will try to reproduce this.
1 - 10 of 36 Items