- What are the vulnerabilities?
- CVE-2017-5715 – (Spectre), branch target injection
- CVE-2017-5753 – (Spectre), bounds check bypass
- CVE-2017-5754 – (Meltdown), rogue data cache load, memory access permission check performed after kernel memory read
- Where to start? What about reading the following posts?
This isn’t an exhaustive list of posts, it’s just a starting point. These vulnerabilities have the widest scope I’ve ever seen and show how fragile IT
devices and software are is. I should probably start distributing stickers sayin ‘Human error inside’ 😉
- CPU hardware vulnerable to side-channel attacks: Vulnerability Note VU#584653
- Alert (TA18-004A): Meltdown and Spectre Side-Channel Vulnerability Guidance
- Important: Windows security updates released January 3, 2018, and antivirus software
- https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in (Client)
- https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution (Server)
- What should I do? What’s the plan?
While it isn’t just a Microsoft issue, a PM.org list member (Mike) provided the following plan for Windows based computers:
Please note that you’ll need a microcode update or firmware update from your device manufacturer to be able to fully mitigate these vulnerabilities whatever OS and software you run.
If you run an Antivirus (AV) software (you should), please make sure it’s compatible with the security fixes released by software or OS vendors.
- Where do I find the SpeculationControl PowerShell module provided by the MSRC?
The PowerShell gallery hosts the module: https://www.powershellgallery.com/packages/SpeculationControl
The MSRC also released a zip version of it that you’ll find on https://aka.ms/SpeculationControlPS
- How do I use this module?
It may not be that easy and straightforward as you may think, when you’re supposed to start by installing the module with the following command
# Open a PowerShell prompt and type: Install-Module SpeculationControl
Why? Because it depends on the version of PowerShell you run, if you run the console with elevated admin privileges, whether the Nuget provider has already been bootstraped or not… (see more on my Inside the Nuget bootstraping process post)
Here’s what I did on my Windows 10 (1709) where the Nuget provider wasn’t present:
# 1. Download the nuget provider dll Invoke-WebRequest -Uri ` https://oneget.org/Microsoft.PackageManagement.NuGetProvider-22.214.171.124.dll ` -OutFile ` ~/downloads/Microsoft.PackageManagement.NuGetProvider.dll # 2. Check the integrity of the downloaded file (Get-FileHash ~/downloads/Microsoft.PackageManagement.NuGetProvider.dll -Algorithm SHA512 | Select -Expand Hash).ToLower() -eq 'c68f9be28eb338abc0200e93a089188a734c6b13c59f3c0eb9bb79898e9bee8a5b50bf4b6e4eeaeee687d8cad927d5cfa8ec25e591de0d8ac745b19ae66ab006' # 3. Create a destination folder mkdir "C:\Program Files\PackageManagement\ProviderAssemblies\nuget\126.96.36.199" # 4. Copy the dll file to this folder copy ~/downloads/Microsoft.PackageManagement.NuGetProvider.dll ` -Destination "C:\Program Files\PackageManagement\ProviderAssemblies\nuget\188.8.131.52" # 5. Load the dll Import-PackageProvider -Name Nuget -Verbose # 6. Save the module from the powershellgallery.com Save-Module -Name SpeculationControl -Repository PsGallery -Verbose -Path ~/Downloads # 7. Change the execution policy for the current console Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass # 8. Import the module (version 1.0.1 in my case) Import-Module ~\Downloads\SpeculationControl\1.0.1\SpeculationControl.psd1 -Verbose # 9. Use it Get-SpeculationControlSettings
- How do I use the module against remote computers?
A fellow MVP Mike F. Robbins shows a nice way to achieve this on his blog:
Using PowerShell to Check Remote Windows Systems for CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre)
- How do I follow the changes in the SpeculationControl module?
Well you can’t. The MSRC hasn’t indicated a ProjectURI in the metadata of the module 😦
I’ve saved all the versions from the PowerShell Gallery and pushed them into a github repo.
As of version 1.0.2, the module hosted on the PSGallery is digitally signed.
You can now check what changed using diff on the different commits: https://github.com/p0w3rsh3ll/MSRC-SpeculationControl/commits/master 🙂