Speculation Control Validation PowerShell Script

This is described in the blog topic: "Windows Server guidance to protect against the speculative execution side-channel vulnerabilities."

 
 
 
 
 
4.3 Star
(16)
60,627 times
Add to favorites
Security
6/13/2018
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Virtual Server on VMware
    1 Posts | Last post Wed 11:24 AM
    • Does anybody know what exactly is tested with the "Hardware support for branch target injection mitigation is present:"?
      
      On our patched VMware ESXi 6.0 hosts some servers show this as False and some as True. The only thing what I could find out until now was, that updating to the newest windows patches fixed the issue.
      
      So, does anyone know which updates exactly solve the problem?
      
      Thanks in advance
  • Look like Script is not showing correct result for HP BL465c Gen8 AMD based Server
    1 Posts | Last post June 19, 2018
    • Tested for AMD CPU based HP BL465c. Host blade is running with latest microcode + VMware updates. Guest VM running on Windows 2K8 R2 Ent having all applicable Microsoft OS updates. This script still shows output indicating hardware support/microcode update missing. 
      
      Another VM running on another Intel based Blade host Server have not showing this behavior.Script output showing all well on this Guest machines.
      
      Look like something wrong with this script for AMD based Server.
      
      Do any one have tested this for AMD, please share your experiences. 
      
  • Spectre variants 3a and 4
    1 Posts | Last post June 11, 2018
    • Do you have a time line as to when an updated will be available that can detect the new Spectre variants 3a and 4?
  • Validity post May updates...
    1 Posts | Last post June 04, 2018
    • Is this script and resultant set of information still valid post the updates May 22nd?
  • 1.0.6 Update
    3 Posts | Last post April 14, 2018
    • What is the benefit to running the 1.0.6 update vs. the 1.0.5 that I've been running?  The release notes are too vague . . . 
    • I would also very much like to know what version 1.0.6 does differently.
      
      After updating script from version 1.0.4 I get information that my platform doesn't need KVA Shadowing (Meltdown protection).
      "Hardware requires kernel VA shadowing: False"
      
      That's beyond strange because it is Intel NUC6CAYS with Celeron J3455 (Apollo Lake).
      
    • I found myself how v1.0.4 and v1.0.6 differ regardless KVAShadow requirements check.
      
      In 1.0.6 there were added checks for additional flags
      "           [System.UInt32]$kvaShadowRequiredFlag = 0x10
                  [System.UInt32]$kvaShadowRequiredAvailableFlag = 0x20
      "
      from systemInformationClass #196.
      
      Rather than checking CPU family and model SpeculationControl now check these values.
      
      How these values are determined by Windows 10? Why Intel CPU J3455 (Apollo Lake) is considered not voulnerable to Meltdown (CVE-2017-5754)?
  • SHA2
    1 Posts | Last post March 27, 2018
    • I don't think the files are signed using SHA2.  When I right-click on them and go to Properties -> Digital Signatures -> The Digest Algorithm is SHA1.
  • Spec Ctrl PS script with new HPE DL360 Gen9 BIOS 2.56
    4 Posts | Last post March 21, 2018
    • Hello, will this script work with the new BIOS release for HPE Gen9 BIOS 2.56(B)?
    • The script works on Powershell regardless of your BIOS version.
      
      If you are trying to confirm if the BIOS update was a success though (green answers), it depends on your model, as of 3/8/2018@2:52, it looks like some models pass muster, but others don't - I'm on hold with HP right now because of this.
      
      These were my results after updating:
      ML350 Gen9 - succeed
      DL160 Gen9 - succeed
      ML110 Gen9 - fail
      DL380pGen8 - fail
      
    • Give this a try.  I'm still testing it myself:
      
      https://kb.vmware.com/s/article/52085
    • ignore that last one
  • Unable to get spectre patch working on vmware
    4 Posts | Last post March 21, 2018
    • Has anyone else had problems getting the spectre fix to work in a vmware environment? both this module and inspectre show the server as unprotected due to hardware. this is happening both in our own datacentre and in AWS.
      
      Speculation control settings for CVE-2017-5715 [branch target injection]
      
      Hardware support for branch target injection mitigation is present: False
      Windows OS support for branch target injection mitigation is present: True
      Windows OS support for branch target injection mitigation is enabled: False
      Windows OS support for branch target injection mitigation is disabled by system policy: False
      Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
      
      Speculation control settings for CVE-2017-5754 [rogue data cache load]
      
      Hardware requires kernel VA shadowing: True
      Windows OS support for kernel VA shadow is present: True
      Windows OS support for kernel VA shadow is enabled: True
      Windows OS support for PCID performance optimization is enabled: True [not required for security]
      
      Suggested actions
      
       * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
      
      BTIHardwarePresent             : False
      BTIWindowsSupportPresent       : True
      BTIWindowsSupportEnabled       : False
      BTIDisabledBySystemPolicy      : False
      BTIDisabledByNoHardwareSupport : True
      KVAShadowRequired              : True
      KVAShadowWindowsSupportPresent : True
      KVAShadowWindowsSupportEnabled : True
      KVAShadowPcidEnabled           : True
      
      and from inspectre:
      
      Spectre & Meltdown Vulnerability
      and Performance Status
      
      Vulnerable to Meltdown: NO
      Vulnerable to Spectre: YES!
      Performance: GOOD
      
      This systems present situation:
      •	This systems hardware has not been updated with new features required to allow its operating system to protect against the Spectre vulnerabilities and/or to minimize their impact upon the systems performance.
    • Yes. Actually you've gotten farther than I have with this. On 2008R2 I haven't received a single update through Windows Update for either of these and everything is reading false, including all the firmware stuff despite the machines all being EC2 instances. Don't know why the updates are not coming down. 
    • Keep in mind that Win 2008 and Win 2012 NOT R2, are not protected against it.
      Microsoft still have not released updates for these OS.
      Only released for the Win 2008 R2 and Win 2012 R2. 
      Not sure if that is your case.
    • Give this a try, I'm still testing it myself:
      
      https://kb.vmware.com/s/article/52085
      
  • Error while importing Module
    3 Posts | Last post February 16, 2018
    • I followed the steps as explained in the description, however I am getting the following error message:
      
      PS C:\SpeculationControl> Import-Module .\SpeculationControl.psd1
      Import-Module : The 'C:\SpeculationControl\SpeculationControl.psd1' module cannot be imported because its manifest contains one or more members that are not valid. The valid manifest members are ('ModuleToProcess', 'NestedModules', 'GUID', 'Author', 'CompanyName', 'Copyright', 'ModuleVersion', 'Des
      cription', 'PowerShellVersion', 'PowerShellHostName', 'PowerShellHostVersion', 'CLRVersion', 'DotNetFrameworkVersion', 'ProcessorArchitecture', 'RequiredModules', 'TypesToProcess', 'FormatsToProcess', 'ScriptsToProcess', 'PrivateData', 'RequiredAssemblies', 'ModuleList', 'FileList', 'FunctionsToExp
      ort', 'VariablesToExport', 'AliasesToExport', 'CmdletsToExport'). Remove the members that are not valid ('RootModule'), then try to import the module again.
      At line:1 char:14
      + Import-Module <<<<  .\SpeculationControl.psd1
          + CategoryInfo          : InvalidData: (C:\SpeculationC...ionControl.psd1:String) [Import-Module], InvalidOperationException
          + FullyQualifiedErrorId : Modules_InvalidManifestMember,Microsoft.PowerShell.Commands.ImportModuleCommand
      
      I checked for SpeculationControl.psm1 referenced in RootModule and the file looks okay to me (therefore, it also exists in the same directory). Any suggestions?
    • Change in SpeculationControl.PSD1 (!) "RootModule" to "ModuleToProcess". That worked for me on Win 7.
    • Hago67 thanks for this. That change works on Windows 2008R2 as well after having received the same error as above.
  • zip file is corrupted
    2 Posts | Last post January 24, 2018
    • Any updates on this?
    • just downloaded and uncompressed the file and it and works like a charm
1 - 10 of 51 Items