Speculative Execution Side-Channel Vulnerabilities Configuration Baseline

This Compliance Settings configuration baseline is used to confirm whether a system has enabled the mitigation needed to protect against the speculative-execution side-channel vulnerabilities described in Microsoft Security Advisories ADV180002, ADV180012, ADV180018, ADV190013.

 
 
 
 
 
4.9 Star
(11)
6,342 times
Add to favorites
System Center
8/21/2019
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Support for i5-8365U
    2 Posts | Last post 1:20 AM
    • Testing this baseline on some new Dell laptop models, it seems to be reporting false negatives of non-compliance.  The "CVE-2017-5754 - Rogue Data Cache Load" for example comes back as non-compliant.  Get-SpeculationControlSettings shows KVAShadowRequired=False, but the CI script thinks it's required. I see there's a hard coded if/then table of model IDs the CI is using to determine whether $kvaShadowRequired=true, however the model ID of the i5-8365U (0x8E) is not in the list.  I suspect there is a similar problem with the "Windows OS support for MDS mitigation is enabled" script.
      
      Are there any plans to update this baseline anytime soon?
    • Hello Darin
      
      We have updated the baseline to align with the detection logic in latest version of the SpeculationControl PowerShell module version 1.0.14. Please try the version I've uploaded and let us know.
      
      Thanks
      -Yvette
  • does not run on 2008 and 2008r2 servers
    2 Posts | Last post June 29, 2019
    • These configuration items are set to run on any platform but do not work on 2008 or 2008r2 servers. Please update the configuration items to work on these platforms, or remove the unsupported platforms from the supported platforms checklist. 
      
      thank you.
    • Hello Dani
      
      The CIs should run on Windows Server 2008R2. Be sure you have PowerShell 3.0 or higher installed.
  • Clarification on Certificates
    2 Posts | Last post June 29, 2019
    • Following the additional guidance on https://blogs.technet.microsoft.com/configurationmgr/2018/01/08/additional-guidance-to-mitigate-speculative-execution-side-channel-vulnerabilities/ is not yielding the results i'm looking for. I am unable to locate the PSD1 file to extract the cert from. Also, the latest release references TWO certificates, but only one exists in the PSD1 file. Where do I obtain the certificates? 
      
      Can you provide detailed instructions on how to obtain the certificates so I can deploy to the store?
      
      Can you provide full pathnames and locations of the script 1.0.14 was successfully installed with install-module.
    • Hello Michael
      
      Here are steps to install both certificates:
      
      1.	In the Configuration Manager Console, navigate to “Configuration Item” and open the CI “CVE-2017-5715-Branch Target Injection”, then navigate to “Settings” and open one of them to click “Edit Script”, then copy the whole script to a new ps1 file  e.g. <filename>.ps1.
      2.	Then run following PowerShell commands to export the cert from the script.
      $cer=Get-AuthenticodeSignature .\<filename>.ps1
      Export-Certificate -Cert $cer.SignerCertificate -FilePath .\<filename>.cer
      3.	Install the cert to “Trusted Publishers” store.
      4.	Repeat the steps 1- 3 to install the other cert from any script in CIs “CVE-2018-12126, CVE-2018-12130, CVE-2018-3639, …”
      
      Best Regards
      Yvette
      
  • Will the module be updated with ADV190013
    5 Posts | Last post May 31, 2019
    • Are there any plans to include the latest and greatest (ADV190013)? The SpeculationControl module has already been updated to include detection for mitigation:
      https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013
    • I am waiting for the same as well. Can anyone please confirm if the modules will be added to the baseline ?
    • I am also looking for the ADV190013 variants to be included in this configuration baseline.
      
      Thank you in advance.
      
      Bob McCulloch
    • Please update with latest ADV190013 
    • Hi everyone, we are working on updating the baseline for the latest advisory ADV190013. I'll have an update in a few days, we need to test our full matrix.
      
      thanks
      -Yvette
  • Cant evaluate the baseline due to script not signed error
    1 Posts | Last post December 07, 2018
    • Getting the following error in DCMwmiprovider.log:
      "Script is not signed (Error: 87D00327; Source: CCM"
      
      Tried setting the execution policy to bypass/remotesigned for currentuser but still no success. Is this related to CI certificates not being trusted ? If yes, then please advise the next course of action. Thank you
      
  • Import Failure
    2 Posts | Last post October 23, 2018
    • looks pretty awesome, i'd love to be able to get it working in our environment but im getting an error during the import "invalid reference in content" and "the CI contains a missing or invalid CI reference", thats using the latest version of the published baseline...
      
      running 1802 version of SCCM - any tips/help would be appreciated :)
      
      Referenced configuration items are not available yet: <MissingReferences><Reference RelationType="2" ModelName="ScopeId_9BF44017-A912-4E27-9D16-EC8C789D8D9C/LogicalName_16df7ae9-3484-436b-9509-d5498b9398af"/><Reference RelationType="2" ModelName="ScopeId_9BF44017-A912-4E27-9D16-EC8C789D8D9C/LogicalName_590f8348-bb8e-4822-9077-5747b831c63f"/><Reference RelationType="2" ModelName="ScopeId_9BF44017-A912-4E27-9D16-EC8C789D8D9C/LogicalName_6c5e6a70-bb8e-4609-bd2f-45f4ca6e1306"/><Reference RelationType="2" ModelName="ScopeId_9BF44017-A912-4E27-9D16-EC8C789D8D9C/LogicalName_89ec82af-ecfd-4948-bef5-6b00c104aeb6"/></MissingReferences>
    • Hello michaelbernard81
      
      We cannot reproduce this error in our test labs. Can you give some more information about your environment? Have you imported previous versions of this baseline etc.?
      
      
      Thanks
      
      Yvette
      
  • Script is signed with a expired Certificate
    4 Posts | Last post August 23, 2018
    • Could you please resign the script with a valid certificate? 
      The actual certificate has been expired at 11th august 2018.
    • Hello Stefan
      
      Since the cert was valid at the time we signed the scripts for the first two CIs (CVE-2017-5715 - Branch target injection and CVE-2017-5754 - Rogue data cache load) things will work.  The second two CIs (CVE-2018-3639 - Speculative store bypass and CVE-2018-3620 - L1 Terminal Fault) are signed with a new cert.
      
      Regards
      -Yvette
    • Hello Yvette,
      I was requesting a resign with a non-expired certificate, because after importing "ADV180002 - Speculative Execution Side-Channel Vulnerabilities_2018.07.31.cab" at August 15 we got "0x87D00327 Script is not signed" for the SSB checks. We've overlapped with "ADV180002 - Speculative Execution Side-Channel Vulnerabilities_2018.08.15.cab" so I'll try this now with the fingers crossed the error will fixed with that version.
      Regards,
      Stefan
    • Hello Yvette,
      I can confirm, deploying both certificates and using "ADV180002 - Speculative Execution Side-Channel Vulnerabilities_2018.08.15.cab" works flawless.
      Thanks a lot!
      Regards,
      Stefan
  • L1TF/Foreshadow
    2 Posts | Last post August 21, 2018
    • Hi,
      
      could you update the baseline with the L1TF detection? The SpeculationControl PS Module has already been updated.
      
      
      Thanks and regards,
      Daniel
    • Hello Daniel,
      
      We have published an update to the baseline that includes a new CI with the detection for mitigations for CVE-2018-3620 - L1 Terminal Fault. Please give it a try.
      
      thanks
      -Yvette
  • CI CVE-2018-3639 requires 32bit script engine?
    2 Posts | Last post August 03, 2018
    • Any idea why CI CVE-2018-3639 runs only with “Run script by using the 32-bit scripting host” enabled, but running fine on 64bit for the other two CIs? CVE-2018-3639 fails with 0x80070001 – Incorrect function.
      sigurd
    • Hello sigurd_ch
      
      We don't require the 32-bit scripting host for any of the CIs and we tested all the CIs without. Can you give us some details of your environment? PowerShell version, OS version, CM version etc. We will try to reproduce this.
      
      Thanks
      Yvette
  • Update to Baseline 8/2/2018 for CVE-2018-3639
    1 Posts | Last post August 02, 2018
    • Hello everyone, we have updated the configuration baseline and added support for CVE-2018-3639. Please give it a try and let us know if any issues.  Note that the updated baseline is unable to determine whether the hardware is vulnerable to SSB but will determine whether mitigates are present.
      
      thanks
      -Yvette
1 - 10 of 35 Items