About CPU bug aka #Meltdown / #Spectre

  • What are the vulnerabilities?
    • CVE-2017-5715 – (Spectre), branch target injection
    • CVE-2017-5753 – (Spectre), bounds check bypass
    • CVE-2017-5754 – (Meltdown), rogue data cache load, memory access permission check performed after kernel memory read
  • Where to start? What about reading the following posts?

This isn’t an exhaustive list of posts, it’s just a starting point. These vulnerabilities have the widest scope I’ve ever seen and show how fragile IT devices and software are is. I should probably start distributing stickers sayin ‘Human error inside’ πŸ˜‰

  • What should I do? What’s the plan?

While it isn’t just a Microsoft issue, a PM.org list member (Mike) provided the following plan for Windows based computers:

Please note that you’ll need a microcode update or firmware update from your device manufacturer to be able to fully mitigate these vulnerabilities whatever OS and software you run.

If you run an Antivirus (AV) software (you should), please make sure it’s compatible with the security fixes released by software or OS vendors.

  • Where do I find the SpeculationControl PowerShell module provided by the MSRC?

The PowerShell gallery hosts the module: https://www.powershellgallery.com/packages/SpeculationControl

The MSRC also released a zip version of it that you’ll find on https://aka.ms/SpeculationControlPS

  • How do I use this module?

It may not be that easy and straightforward as you may think, when you’re supposed to start by installing the module with the following command

# Open a PowerShell prompt and type:
Install-Module SpeculationControl

Why? Because it depends on the version of PowerShell you run, if you run the console with elevated admin privileges, whether the Nuget provider has already been bootstraped or not… (see more on my Inside the Nuget bootstraping process post)

Here’s what I did on my Windows 10 (1709) where the Nuget provider wasn’t present:


# 1. Download the nuget provider dll
Invoke-WebRequest -Uri `
https://oneget.org/Microsoft.PackageManagement.NuGetProvider-2.8.5.207.dll `
-OutFile `
~/downloads/Microsoft.PackageManagement.NuGetProvider.dll

# 2. Check the integrity of the downloaded file 
(Get-FileHash ~/downloads/Microsoft.PackageManagement.NuGetProvider.dll -Algorithm SHA512 | Select -Expand Hash).ToLower() -eq 
'c68f9be28eb338abc0200e93a089188a734c6b13c59f3c0eb9bb79898e9bee8a5b50bf4b6e4eeaeee687d8cad927d5cfa8ec25e591de0d8ac745b19ae66ab006'

# 3. Create a destination folder
mkdir "C:\Program Files\PackageManagement\ProviderAssemblies\nuget\2.8.5.207"

# 4. Copy the dll file to this folder
copy ~/downloads/Microsoft.PackageManagement.NuGetProvider.dll  `
-Destination "C:\Program Files\PackageManagement\ProviderAssemblies\nuget\2.8.5.207"

# 5. Load the dll
Import-PackageProvider -Name Nuget -Verbose

# 6. Save the module from the powershellgallery.com
Save-Module -Name SpeculationControl -Repository  PsGallery -Verbose -Path ~/Downloads

# 7. Change the execution policy for the current console
Set-ExecutionPolicy  -Scope Process -ExecutionPolicy Bypass

# 8. Import the module (version 1.0.1 in my case)
Import-Module ~\Downloads\SpeculationControl\1.0.1\SpeculationControl.psd1 -Verbose

# 9. Use it 
Get-SpeculationControlSettings

  • How do I use the module against remote computers?

A fellow MVP Mike F. Robbins shows a nice way to achieve this on his blog:
Using PowerShell to Check Remote Windows Systems for CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre)

  • How do I follow the changes in the SpeculationControl module?

Well you can’t. The MSRC hasn’t indicated a ProjectURI in the metadata of the module 😦

I’ve saved all the versions from the PowerShell Gallery and pushed them into a github repo.

As of version 1.0.2, the module hosted on the PSGallery is digitally signed.

You can now check what changed using diff on the different commits: https://github.com/p0w3rsh3ll/MSRC-SpeculationControl/commits/master πŸ™‚

Advertisements

23 thoughts on “About CPU bug aka #Meltdown / #Spectre

  1. Many thanks for this great overview and required actions to take. It’s frightened to see after so many years of security awareness and high investments, our systems are still so vulnerable..security is sadly no more than an illusion.

  2. Update to Disable Mitigation against Spectre, Variant 2
    https://support.microsoft.com/en-us/help/4078130/update-to-disable-mitigation-against-spectre-variant-2

    Summary

    Intel has reported issues with recently released microcode meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection) – specifically Intel noted that this microcode can cause β€œhigher than expected reboots and other unpredictable system behavior” and then noted that situations like this may result in β€œdata loss or corruption.” Our own experience is that system instability can in some circumstances cause data loss or corruption. On January 22nd Intel recommended that customers stop deploying the current microcode version on impacted processors while they perform additional testing on the updated solution. We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions.

    While Intel tests, updates and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – β€œBranch target injection vulnerability.” In our testing this update has been found to prevent the behavior described. For the full list of devices, see Intel’s microcode revision guidance. This update covers Windows 7 (SP1), Windows 8.1, and all versions of Windows 10, for client and server. If you are running an impacted device, this update can be applied by downloading it from the Microsoft Update Catalog website. Application of this payload specifically disables only the mitigation against CVE-2017-5715 – β€œBranch target injection vulnerability.”

    We are also offering a new option – available for advanced users on impacted devices – to manually disable and enable the mitigation against Spectre Variant 2 (CVE 2017-5715) independently via registry setting changes. The instructions for the registry key settings can be found in the following two Knowledge Base articles:

    KB4073119: IT Pro Guidance
    KB4072698: Server Guidance

    As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.