Meltdown and Spectre Mitigation on Windows / Part 1

Meltdown and Spectre Mitigation on Windows

2018 has started with yet another bombshell: the announcement of a set of vulnerabilities, named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 / CVE-2017-5715). These vulnerabilities are deeply rooted in Intel x86 and some of the ARM-based microprocessors.

These are serious security flaws that can lead to a data breach.  Meltdown and Spectre potentially allow restricted memory to be read by a rogue process, thus exposing confidential data. This is a security risk that can’t be ignored.

Since the disclosure of Meltdown and Spectre, Microsoft, Apple, Intel and AMD are racing to release patches to close the security holes. However, for most complex IT organizations with thousands of workstations and servers, the global deployment of the security patches in an expeditious and systematic fashion remains a real headache.

In this blog, we will show how Goverlan IT Automation can be used to drastically reduce the time to remediate the Meltdown and Spectre security risks for your Microsoft Windows machines.

This blog is broken out in two parts. Part 1 will cover intelligence gathering and reporting. Part 2 focuses on remediation and validation.

How to efficiently verify if new Windows protections
are enabled across your Enterprise

After Microsoft quickly released a set of security updates and software patches, confirming whether or not all endpoints were properly protected remained a challenge for system admins. As a result, Microsoft released a PowerShell module named SpeculationControl to verify if a local system had been properly updated.

Here is an output example of running SpeculationControl:

PowerShell Speculation Control Console Output

However, the enterprise wide deployment of the script is not without problems:

  • The PS script can only query the local machine onto which it is executed. It must be installed and ran on each system.
  • The convenient PS > Install-Module SpeculationControl command only works by default in PowerShell v5 and Window 10 machines. Prior OSes require a manual download of the module to be used.
  • To be actionable, the data collected from each endpoint needs to be consolidated in one report.

 

Globally Deploy the SpeculationControl Script in minutes
with Goverlan Reach

Goverlan Icon

Goverlan Reach is a Remote IT Support and Administration software solution designed to support complex IT infrastructures quickly and efficiently. It provides a series of powerful tools to manage endpoints remotely and automate IT workflows.

The patching of the Meltdown and Spectre is the perfect example of how Goverlan Reach can alleviate your current pain points while improving security.

In this example, Goverlan Reach’s IT Process Automation, will deal with:

  • Dispatching the execution of the SpeculationControl script on all your machines
  • Consolidating and formatting the status of machine data into an actionable report
  • Remediation (Part 2)
  • Validating and monitoring the mitigation progress in real-time (Part 2)

Meltdown Specter Windows Protections Report

 

Step 1 – Install Goverlan Reach

Before starting, you need to install the Goverlan Reach Operator Console. If you do not have Goverlan Reach, get it here.

NOTE: You need Goverlan v9.01.21 or later to run through these steps.

 

Step 2 – Import the Goverlan Speculation Control Automation from our IT Automation Center

To facilitate the configuration of this Goverlan process automation, we have configured one and made it available in our IT Automation Center.
Go to this Automation Center Page and follow the instructions to import the Query Speculation Control Windows Protection automation.

Once imported, you will see this automation in your Goverlan interface:

 

Step 3 – Run the Automation and View the Report

You are now ready to run this automation on an ad-hoc basis, or schedule its execution. Simply select the automation and click on the Run button.

The execution time may vary but can be expected to be very short. Hundreds of endpoints can be processed in a matter of minutes. Upon completion, a report of the enabled Meltdown and Spectre Windows Protections for all endpoints is displayed in an Excel spreadsheet:

Meltdown Specter Windows Protections Enabled Report

NOTE: It may take longer to complete the process the first time you run the automation.  However, subsequent executions are much faster because they bypass the initial download and installation of the Microsoft SpeculationControl.ps1 on Windows 10 machines.

Analyze the Report

The output is an Excel spreadsheet which reports on the enabled Windows Protections for each machine configured in the scope.

Report Value Information Desired Value
AVPatchCompatible Reports the existence of the Antivirus Security Update Compatibility Registry Tag.

Microsoft has identified a compatibility issue with a small number of antivirus software products. To help prevent stop errors that are caused by incompatible antivirus applications, Microsoft is only offering the Windows security updates that were released on January 3, 2018, to devices that are running antivirus software that have confirmed that their software is compatible with the January 2018 Windows operating system security update.

True
BTIDisabledByNoHardwareSupport Windows OS support for branch target injection mitigation is disabled by absence of hardware support.

This line tells you if the branch target injection mitigation has been disabled due to the absence of hardware support. If it is True, the absence of hardware support is responsible for disabling the mitigation. If it is False, the mitigation is disabled by a different cause.

Note If a guest VM cannot detect the host hardware update, BTIDisabledByNoHardwareSupport will always be True.

False
BTIDisabledBySystemPolicy Windows OS support for branch target injection mitigation is disabled by system policy.

This line tells you if the branch target injection mitigation has been disabled by system policy (such as an administrator-defined policy). System policy refers to the registry controls as documented in KB 4072698. If it is True, the system policy is responsible for disabling the mitigation. If it is False, the mitigation is disabled by a different cause.

False
BTIHardwarePresent Hardware support for branch target injection mitigation is present.

This line tells you if the hardware features are present to support the branch target injection mitigation. The device OEM is responsible for providing the updated BIOS/firmware that contains the microcode provided by CPU manufacturers. If this line is True, the required hardware features are present. If the line is False, the required hardware features are not present, and therefore the branch target injection mitigation cannot be enabled.

Note: BTIHardwarePresent will be True in guest VMs if the OEM update has been applied to the host and guidance is followed.

True
BTIWindowsSupportEnabled Windows OS support for branch target injection mitigation is enabled.

This line tells you if Windows operating system support is enabled for the branch target injection mitigation. If it is True, hardware support and OS support for the branch target injection mitigation is enabled for the device, thus protecting against CVE-2017-5715. If it is False, one of the following conditions is the true:

* Hardware support is not present.
*
OS support is not present.
*
The mitigation has been disabled by system policy.

True

If false:

* On client: no action required.
*
On server: follow guidance.

BTIWindowsSupportPresent Windows OS support for branch target injection mitigation is present.

 

This line tells you if Windows operating system support is present for the branch target injection mitigation. If it is True, the operating system supports enabling the branch target injection mitigation (and therefore has installed the January 2018 update). If it is False, the January 2018 update has not been installed on the system, and the branch target injection mitigation cannot be enabled.

True
KVAShadowPcidEnabled Windows OS support for PCID performance optimization is enabled.

This line tells you if an additional performance optimization has been enabled for kernel VA shadow. If it is True, kernel VA shadow is enabled, hardware support for PCID is present, and PCID optimization for kernel VA shadow has been enabled. If it is False, either the hardware or the OS may not support PCID. It is not a security weakness for the PCID optimization to not be enabled.

Note: PCID is not required for security. It only indicates if a performance improvement is enabled. PCID is not supported with Windows Server 2008 R2

True or False (no action required)
KVAShadowRequired Hardware requires kernel VA shadowing.

This line tells you if the hardware is vulnerable to CVE-2017-5754. If it is True, the hardware is believed to be vulnerable to CVE-2017-5754. If it is False, the hardware is known to not be vulnerable to CVE-2017-5754.

True or False (no action, this is a function of the CPU the machine uses)
KVAShadowWindowsSupportEnabled Windows OS support for kernel VA shadow is enabled.

 

This line tells you if the kernel VA shadow feature has been enabled. If it is True, the hardware is believed to be vulnerable to CVE-2017-5754, Windows operating system support is present, and the feature has been enabled. The Kernel VA shadow feature is currently enabled by default on client versions of Windows and is disabled by default on versions of Windows Server. If it is False, either Windows operating system support is not present, or the feature has not been enabled.

If KVAShadowRequired is TRUE: True

If KVAShadowRequired is TRUE and KVAShadowWindowsSupportEnabled is FALSE:

* On client: no action required.
*
On server: follow guidance.

KVAShadowWindowsSupportPresent Windows OS support for kernel VA shadow is present.

This line tells you if Windows operating system support for the kernel VA shadow feature is present. If it is True, the January 2018 update is installed on the device, and kernel VA shadow is supported. If it is False, the January 2018 update is not installed, and kernel VA shadow support does not exist.

If KVAShadowRequired is TRUE: True

 

Reference: https://support.microsoft.com/en-za/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell

 

 

 

Leave a Reply