Here we are at the start of 2018 with a very bad news. Once again, a significant security issue has been discovered by several independent researchers. The CPU vulnerabilities known as Meltdown and Spectre were discovered in January 2018. These vulnerabilities allow programs to steal data by reading data from other programs. It means that a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. In this article, we will discuss about this new challenge for Sysadmin.
Who is affected?
Affected chips include those manufactured by Intel, AMD, and ARM. On top of that, devices running other operating systems such as Android, Chrome, iOS, and MacOS are also affected.
The good news is that Intel released a fix, but the bad news is the performance impact. Intel reveals possible slowdowns from ‘Meltdown’ processor fix. So the Meltdown fix can make some machines slower, before patching your machines, check the performance impact in your test environment, especially your SQL Servers.
Don’t forget to apply firmware updates to be safe. So you must check with your hardware vendor if a new version is available or not.
What Microsoft said?
“Antivirus updates should be installed first. Then make sure Windows automatic updates is turned on. If automatic updates is turned on, the updates will be automatically installed.”
The following article discusses the impact of these vulnerabilities and provides resources to help keep devices protected: https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown
How to Monitor Meltdown and Spectre?
First option: You can use the PowerShell module which is called “SpeculationControl” to check protection status. To help customers verify that protections are enabled, Microsoft has published a PowerShell script that customers can run on their systems. This module can be easily installed with the following commands:
This module requires at least Windows PowerShell 5.1. The output of this PowerShell cmdlet will look like the following:
Note: Don’t forget to right-click and run PowerShell console as an administrator.
You can also download the module from TechNet Gallery: https://aka.ms/SpeculationControlPS
PS> CD C:\Temp\SpeculationControl
PS> Import-Module .\SpeculationControl.psd1
PS> Get-SpeculationControlSettings
Second option: You can use SCCM to monitor these vulnerabilities.
Thanks to SCCM and compliance module, you can determine if your workstations and servers received the OS patch from Microsoft to mitigate Spectre and Meltdown. The Configuration Manager Team published a configuration baseline which will help you to monitor Meltdown and Spectre. So the first thing to do is to download the .CAB file from the TechNet Gallery: https://gallery.technet.microsoft.com/Speculation-Execution-Side-1483f621
Why do you must use this SCCM baseline?
This Compliance Settings configuration baseline is used to confirm whether a system has enabled the protections needed to protect against the speculative-execution side-channel vulnerabilities. This baseline is based on the functionality in the PowerShell module “SpeculationControl”.
How to import this SCCM baseline?
I will describe in this article how to import the baseline. Once the CAB file has been downloaded, you can open the SCCM console and navigate to:
- Assets and Compliance
- Overview
- Compliance Settings
Right-Click on “Configuration Items” and select “Import Configuration Data”:
Import the CAB file that you previously download:
The wizard will import the configuration data into your SCCM console.
This CAB file will import two Configuration Items:
- CI: CVE-2017-5715 – Branch target injection
- CI: CVE-2017-5754 – Rogue data cache load
a. Windows OS support for branch target injection mitigation is enabled
b. Hardware support for branch target injection mitigation is present
c. Windows OS support for branch target injection mitigation is present
d. Windows OS support for branch target injection mitigation is disabled by absence of hardware support
e. Windows OS support for branch target injection mitigation is disabled by system policy
a. Windows OS support for kernel VA shadow is present
b. Windows OS support for kernel VA shadow is enabled
Close the wizard and go to the Compliance section to confirm that you can see the Configuration Items:
And the SCCM baseline has been imported:
We need to create a new devices collection to deploy and test the baseline. I called this collection “Check Compliance Vulnerabilities”:
Right-click on your baseline, and select “Deploy”:
Confirm the selected configuration baseline (1), select the collection for this configuration baseline deployment (2), specify the evaluation schedule (3) and confirm by clicking “OK” (4).
On your SCCM clients, open the SCCM agent and refresh the machine policy. Wait a few seconds and you will notice a new configuration. If the configuration is not listed, Refresh until the configuration appears.
When the configuration is available, you can click “Evaluate” to check if the client is compliant or not:
In my case, the device is not compliant. So I can check the report by clicking “View Report”. SCCM will generate the HTML report in the Temp folder:
If you need more information, you can click on the CI:
Useful links
Below are some useful links to keep informed about these vulnerabilities:
- Vulnerability Note VU#584653: https://www.kb.cert.org/vuls/id/584653
- Intel® Management Engine Critical Firmware Update (Intel-SA-00086): https://www.intel.com/content/www/us/en/support/articles/000025619/software.html
- ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
- Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems: https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/
Conclusion
Thanks to the great work of the Configuration Team and PowerShell Team, we can now monitor easily the Meltdown and Spectre vulnerabilities in our environment. The SCCM baseline has been tested on my environment:
- SCCM 1710
- Windows 8.1, Windows 10 client
- Windows Server 2016
and it works without any issue.
Experience modern data protection with this latest Vembu BDR Suite v.3.8.0 FREE edition. Try the 30 days free trial here: https://www.bdrsuite.com/vembu-bdr-suite-download/
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.