Speculation Control Validation PowerShell Script

This is described in the blog topic: "Windows Server guidance to protect against the speculative execution side-channel vulnerabilities."

 
 
 
 
 
4.2 Star
(15)
51,967 times
Add to favorites
Security
4/11/2018
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • 1.0.6 Update
    3 Posts | Last post April 14, 2018
    • What is the benefit to running the 1.0.6 update vs. the 1.0.5 that I've been running?  The release notes are too vague . . . 
    • I would also very much like to know what version 1.0.6 does differently.
      
      After updating script from version 1.0.4 I get information that my platform doesn't need KVA Shadowing (Meltdown protection).
      "Hardware requires kernel VA shadowing: False"
      
      That's beyond strange because it is Intel NUC6CAYS with Celeron J3455 (Apollo Lake).
      
    • I found myself how v1.0.4 and v1.0.6 differ regardless KVAShadow requirements check.
      
      In 1.0.6 there were added checks for additional flags
      "           [System.UInt32]$kvaShadowRequiredFlag = 0x10
                  [System.UInt32]$kvaShadowRequiredAvailableFlag = 0x20
      "
      from systemInformationClass #196.
      
      Rather than checking CPU family and model SpeculationControl now check these values.
      
      How these values are determined by Windows 10? Why Intel CPU J3455 (Apollo Lake) is considered not voulnerable to Meltdown (CVE-2017-5754)?
  • SHA2
    1 Posts | Last post March 27, 2018
    • I don't think the files are signed using SHA2.  When I right-click on them and go to Properties -> Digital Signatures -> The Digest Algorithm is SHA1.
  • Spec Ctrl PS script with new HPE DL360 Gen9 BIOS 2.56
    4 Posts | Last post March 21, 2018
    • Hello, will this script work with the new BIOS release for HPE Gen9 BIOS 2.56(B)?
    • The script works on Powershell regardless of your BIOS version.
      
      If you are trying to confirm if the BIOS update was a success though (green answers), it depends on your model, as of 3/8/2018@2:52, it looks like some models pass muster, but others don't - I'm on hold with HP right now because of this.
      
      These were my results after updating:
      ML350 Gen9 - succeed
      DL160 Gen9 - succeed
      ML110 Gen9 - fail
      DL380pGen8 - fail
      
    • Give this a try.  I'm still testing it myself:
      
      https://kb.vmware.com/s/article/52085
    • ignore that last one
  • Unable to get spectre patch working on vmware
    4 Posts | Last post March 21, 2018
    • Has anyone else had problems getting the spectre fix to work in a vmware environment? both this module and inspectre show the server as unprotected due to hardware. this is happening both in our own datacentre and in AWS.
      
      Speculation control settings for CVE-2017-5715 [branch target injection]
      
      Hardware support for branch target injection mitigation is present: False
      Windows OS support for branch target injection mitigation is present: True
      Windows OS support for branch target injection mitigation is enabled: False
      Windows OS support for branch target injection mitigation is disabled by system policy: False
      Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
      
      Speculation control settings for CVE-2017-5754 [rogue data cache load]
      
      Hardware requires kernel VA shadowing: True
      Windows OS support for kernel VA shadow is present: True
      Windows OS support for kernel VA shadow is enabled: True
      Windows OS support for PCID performance optimization is enabled: True [not required for security]
      
      Suggested actions
      
       * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
      
      BTIHardwarePresent             : False
      BTIWindowsSupportPresent       : True
      BTIWindowsSupportEnabled       : False
      BTIDisabledBySystemPolicy      : False
      BTIDisabledByNoHardwareSupport : True
      KVAShadowRequired              : True
      KVAShadowWindowsSupportPresent : True
      KVAShadowWindowsSupportEnabled : True
      KVAShadowPcidEnabled           : True
      
      and from inspectre:
      
      Spectre & Meltdown Vulnerability
      and Performance Status
      
      Vulnerable to Meltdown: NO
      Vulnerable to Spectre: YES!
      Performance: GOOD
      
      This systems present situation:
      •	This systems hardware has not been updated with new features required to allow its operating system to protect against the Spectre vulnerabilities and/or to minimize their impact upon the systems performance.
    • Yes. Actually you've gotten farther than I have with this. On 2008R2 I haven't received a single update through Windows Update for either of these and everything is reading false, including all the firmware stuff despite the machines all being EC2 instances. Don't know why the updates are not coming down. 
    • Keep in mind that Win 2008 and Win 2012 NOT R2, are not protected against it.
      Microsoft still have not released updates for these OS.
      Only released for the Win 2008 R2 and Win 2012 R2. 
      Not sure if that is your case.
    • Give this a try, I'm still testing it myself:
      
      https://kb.vmware.com/s/article/52085
      
  • Error while importing Module
    3 Posts | Last post February 16, 2018
    • I followed the steps as explained in the description, however I am getting the following error message:
      
      PS C:\SpeculationControl> Import-Module .\SpeculationControl.psd1
      Import-Module : The 'C:\SpeculationControl\SpeculationControl.psd1' module cannot be imported because its manifest contains one or more members that are not valid. The valid manifest members are ('ModuleToProcess', 'NestedModules', 'GUID', 'Author', 'CompanyName', 'Copyright', 'ModuleVersion', 'Des
      cription', 'PowerShellVersion', 'PowerShellHostName', 'PowerShellHostVersion', 'CLRVersion', 'DotNetFrameworkVersion', 'ProcessorArchitecture', 'RequiredModules', 'TypesToProcess', 'FormatsToProcess', 'ScriptsToProcess', 'PrivateData', 'RequiredAssemblies', 'ModuleList', 'FileList', 'FunctionsToExp
      ort', 'VariablesToExport', 'AliasesToExport', 'CmdletsToExport'). Remove the members that are not valid ('RootModule'), then try to import the module again.
      At line:1 char:14
      + Import-Module <<<<  .\SpeculationControl.psd1
          + CategoryInfo          : InvalidData: (C:\SpeculationC...ionControl.psd1:String) [Import-Module], InvalidOperationException
          + FullyQualifiedErrorId : Modules_InvalidManifestMember,Microsoft.PowerShell.Commands.ImportModuleCommand
      
      I checked for SpeculationControl.psm1 referenced in RootModule and the file looks okay to me (therefore, it also exists in the same directory). Any suggestions?
    • Change in SpeculationControl.PSD1 (!) "RootModule" to "ModuleToProcess". That worked for me on Win 7.
    • Hago67 thanks for this. That change works on Windows 2008R2 as well after having received the same error as above.
  • zip file is corrupted
    2 Posts | Last post January 24, 2018
    • Any updates on this?
    • just downloaded and uncompressed the file and it and works like a charm
  • Speculation cntrol
    2 Posts | Last post January 22, 2018
    • When I run the script i get an error
      Unsupported processor manufacturer:
      At C:\scripts\SpeculationControl\SpeculationControl.psm1:148 char:18
      +             throw <<<<  ("Unsupported processor manufacturer: {0}" -f $cpu.Manufacturer)
          + CategoryInfo          : OperationStopped: (Unsupported processor manufacturer: :String) [], RuntimeException
          + FullyQualifiedErrorId : Unsupported processor manufacturer:
      
      Please advise, Its a Dell serever
    • Hello IJThomas,
      
      I am not the owner of the script, but this is related to the Get-WMIObject command, when used we can retrieve $cpu.manufacturer because of the powershell version.
      As workaround, you can simply replace the line $manufacturer = $cpu.Manufacturer by $manufacturer = "GenuineIntel" in the psm1 file
      
      Be careful by doing that, do not apply an Intel script on AMD processor, so if you have AMD CPU you need to replace by $manufacturer = "AuthenticAMD"
      
      Hope you will understand and this will help you until the author make a real workaround (I didn't waste any time on it since we have only Intel CPUs, I just deleted the check because I know what I am doing)
  • Hardware and Windows support is present but still disabled???
    11 Posts | Last post January 21, 2018
    • Hardware support for branch target injection mitigation is present: True
      Windows OS support for branch target injection mitigation is present: True
      Windows OS support for branch target injection mitigation is enabled: False
      Windows OS support for branch target injection mitigation is disabled by system policy: False
      Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False
      
      What does that even mean? Why disabled if not by system policy or absence of hardware support?
    • Is this a Windows Server? If so, you need to enable the mitigations in the registry: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
    • No, this is Windows Client. And just to be safe I tried enabling it in the registry and it didn't help.
    • Here is verbose output:
      BpbEnabled                   : False
      BpbDisabledSystemPolicy      : False
      BpbDisabledNoHardwareSupport : False
      HwReg1Enumerated             : True
      HwReg2Enumerated             : True
      HwMode1Present               : False
      HwMode2Present               : False
      SmepPresent                  : True
    • Sorry, have to ask.  Did you install BIOS updates pertinent to the vulnerabilities as well as Windows updates?
    • There was no BIOS update for my motherboard model and probably won't be at all. But I updated CPU microcode and script says that hardware support is present.
    • Anything?
    • Depending on how you updated CPU microcode it does not always persist across restarts. Usually a full BIOS update is required for a permanent update.
    • According to HWINFO it persists. I wrote down uCU before update, after update and after restart. It doesn't change after restart.
    • Try testing with https://www.grc.com/inspectre.htm
      
      I have found that using the VMware driver method to update microcode works and persists across restarts. Subsequently running uninstall (which you would expect would just remove the VMware driver) reverts the microcode. A BIOS update would still be my preferred, permanent, method as the microcode update using the VMware driver is a workaround (e.g. what happens if/when you rebuild your PC or upgrade Windows 10?). Problem is, OEMs are taking ages to release updated BIOS and no guarantee they ever will for older products.
    • I didn't uninstall VMWare driver. I tried InSpectre. It says that system isn't vulnerable to Spectre (all green, hardware update is present, etc), but button shows "Enable Spectre Protection" like it hasn't been enabled (clicking on button changes it's state but it's back after I run InSpectre again). For Meltdown there is "Disable Meltdown Protection" which means it's enabled.
      
      Speculation control script still shows that Spectre protection isn't enabled.
  • zip is empty again?
    3 Posts | Last post January 19, 2018
    • zip is empty again?
    • yes, i got a empty .zip file, too...
    • This is a shortened link to the zip file (not a copy/mirror) - it might help?
      http://bit.ly/2DkC3vZ
  • Get-Help declares version as 1.3
    1 Posts | Last post January 19, 2018
    • ... yet it's defined as 1.0.4 here
      
1 - 10 of 47 Items