Speculation Control Validation PowerShell Script

This is described in the blog topic: "Windows Server guidance to protect against the speculative execution side-channel vulnerabilities."

 
 
 
 
 
4.4 Star
(20)
70,004 times
Add to favorites
Security
9/5/2018
E-mail Twitter del.icio.us Digg Facebook
  • Virtual Server on VMware
    2 Posts | Last post August 03, 2018
    • Does anybody know what exactly is tested with the "Hardware support for branch target injection mitigation is present:"?
      
      On our patched VMware ESXi 6.0 hosts some servers show this as False and some as True. The only thing what I could find out until now was, that updating to the newest windows patches fixed the issue.
      
      So, does anyone know which updates exactly solve the problem?
      
      Thanks in advance
    • In short: Test for presence of MSR register responsible for control over Spectre variant 2 mitigation inside CPU. That is mostly available after proper microcode update. Which can be done by Windows or better through BIOS update.
  • Please revert to color highlighting
    1 Posts | Last post July 31, 2018
    • Please revert code to use Colors showing up if a system is protected (green) or partially (yellow) e.g. because missing BIOS updates or policies
      or RED completely unprotected. The current True / False is not easily readable for non pros or people not in being deeply involved in the topic.
      
      Please also implement optional enable (registry keys) if these are the only one missing. 
      
      Please also implement code that this script could be used via Remote PowerShell to get a full view over supported systems, instead of local excecution only.
  • Module cannot be downloaded from Machines older than Windows 10 / 2016 > anymore
    1 Posts | Last post July 31, 2018
    • Name                           Version          Source           Summary
      ----                           -------          ------           -------
      nuget                          2.8.5.208        https://onege... NuGet provider for the OneGet meta-package manager
      PackageManagement\Install-Package : No match was found for the specified search criteria and module name
      'SpeculationControl'. Try Get-PSRepository to see all available registered module repositories.
      At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1772 char:21
      + ...          $null = PackageManagement\Install-Package @PSBoundParameters
      +                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ObjectNotFound: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Ex
         ception
          + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage
      
      
      WMF 5.1 is installed and it worked previously but when downloading now I get this error
  • Look like Script is not showing correct result for HP BL465c Gen8 AMD based Server
    1 Posts | Last post June 19, 2018
    • Tested for AMD CPU based HP BL465c. Host blade is running with latest microcode + VMware updates. Guest VM running on Windows 2K8 R2 Ent having all applicable Microsoft OS updates. This script still shows output indicating hardware support/microcode update missing. 
      
      Another VM running on another Intel based Blade host Server have not showing this behavior.Script output showing all well on this Guest machines.
      
      Look like something wrong with this script for AMD based Server.
      
      Do any one have tested this for AMD, please share your experiences. 
      
  • Spectre variants 3a and 4
    1 Posts | Last post June 11, 2018
    • Do you have a time line as to when an updated will be available that can detect the new Spectre variants 3a and 4?
  • Validity post May updates...
    1 Posts | Last post June 04, 2018
    • Is this script and resultant set of information still valid post the updates May 22nd?
  • 1.0.6 Update
    3 Posts | Last post April 14, 2018
    • What is the benefit to running the 1.0.6 update vs. the 1.0.5 that I've been running?  The release notes are too vague . . . 
    • I would also very much like to know what version 1.0.6 does differently.
      
      After updating script from version 1.0.4 I get information that my platform doesn't need KVA Shadowing (Meltdown protection).
      "Hardware requires kernel VA shadowing: False"
      
      That's beyond strange because it is Intel NUC6CAYS with Celeron J3455 (Apollo Lake).
      
    • I found myself how v1.0.4 and v1.0.6 differ regardless KVAShadow requirements check.
      
      In 1.0.6 there were added checks for additional flags
      "           [System.UInt32]$kvaShadowRequiredFlag = 0x10
                  [System.UInt32]$kvaShadowRequiredAvailableFlag = 0x20
      "
      from systemInformationClass #196.
      
      Rather than checking CPU family and model SpeculationControl now check these values.
      
      How these values are determined by Windows 10? Why Intel CPU J3455 (Apollo Lake) is considered not voulnerable to Meltdown (CVE-2017-5754)?
  • SHA2
    1 Posts | Last post March 27, 2018
    • I don't think the files are signed using SHA2.  When I right-click on them and go to Properties -> Digital Signatures -> The Digest Algorithm is SHA1.
  • Spec Ctrl PS script with new HPE DL360 Gen9 BIOS 2.56
    4 Posts | Last post March 21, 2018
    • Hello, will this script work with the new BIOS release for HPE Gen9 BIOS 2.56(B)?
    • The script works on Powershell regardless of your BIOS version.
      
      If you are trying to confirm if the BIOS update was a success though (green answers), it depends on your model, as of 3/8/2018@2:52, it looks like some models pass muster, but others don't - I'm on hold with HP right now because of this.
      
      These were my results after updating:
      ML350 Gen9 - succeed
      DL160 Gen9 - succeed
      ML110 Gen9 - fail
      DL380pGen8 - fail
      
    • Give this a try.  I'm still testing it myself:
      
      https://kb.vmware.com/s/article/52085
    • ignore that last one
  • Unable to get spectre patch working on vmware
    4 Posts | Last post March 21, 2018
    • Has anyone else had problems getting the spectre fix to work in a vmware environment? both this module and inspectre show the server as unprotected due to hardware. this is happening both in our own datacentre and in AWS.
      
      Speculation control settings for CVE-2017-5715 [branch target injection]
      
      Hardware support for branch target injection mitigation is present: False
      Windows OS support for branch target injection mitigation is present: True
      Windows OS support for branch target injection mitigation is enabled: False
      Windows OS support for branch target injection mitigation is disabled by system policy: False
      Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
      
      Speculation control settings for CVE-2017-5754 [rogue data cache load]
      
      Hardware requires kernel VA shadowing: True
      Windows OS support for kernel VA shadow is present: True
      Windows OS support for kernel VA shadow is enabled: True
      Windows OS support for PCID performance optimization is enabled: True [not required for security]
      
      Suggested actions
      
       * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
      
      BTIHardwarePresent             : False
      BTIWindowsSupportPresent       : True
      BTIWindowsSupportEnabled       : False
      BTIDisabledBySystemPolicy      : False
      BTIDisabledByNoHardwareSupport : True
      KVAShadowRequired              : True
      KVAShadowWindowsSupportPresent : True
      KVAShadowWindowsSupportEnabled : True
      KVAShadowPcidEnabled           : True
      
      and from inspectre:
      
      Spectre & Meltdown Vulnerability
      and Performance Status
      
      Vulnerable to Meltdown: NO
      Vulnerable to Spectre: YES!
      Performance: GOOD
      
      This systems present situation:
      •	This systems hardware has not been updated with new features required to allow its operating system to protect against the Spectre vulnerabilities and/or to minimize their impact upon the systems performance.
    • Yes. Actually you've gotten farther than I have with this. On 2008R2 I haven't received a single update through Windows Update for either of these and everything is reading false, including all the firmware stuff despite the machines all being EC2 instances. Don't know why the updates are not coming down. 
    • Keep in mind that Win 2008 and Win 2012 NOT R2, are not protected against it.
      Microsoft still have not released updates for these OS.
      Only released for the Win 2008 R2 and Win 2012 R2. 
      Not sure if that is your case.
    • Give this a try, I'm still testing it myself:
      
      https://kb.vmware.com/s/article/52085
      
11 - 20 of 63 Items