Jump to content
Gavsto

CPU Vulnerability - Spectre / Meltdown Detection Solution

Recommended Posts

EDIT: 07/01/2018 - New version available which fixes a minor bug with some variables not setting in certain conditions

I spent last night putting this together which utilises the original Microsoft Powershell Script to generate a number of EDFs that indicate a machine's current status for these vulnerabilities.

Here are the EDFs that generate:

image.png

These are in an EDF tab called "Meltdown and Spectre Detection".

The key EDF is "Is the machine secure" which will only tick when all other conditions are met and the machine is deemed secure.

I have decided to put this script and the associated XML on Github. I have tested this on systems with Powershell 2 but as per the attached license in Github the software is provided AS IS without warranty of any kind. Test it fully before you roll it out.

Upcoming planned improvements:
1) Better error handling
2) Internal monitor for detecting in-secure machines

If anyone wants to submit pull requests to the PS1, I will merge them and at the same time update the ConnectWise Automate / LabTech Script.

https://github.com/gavsto/ConnectWise-Automate-Meltdown-and-Spectre-Detection-Scripts

Only the .XML is needed - this has the .PS1 included in the Github embedded in the actual Automate script - to repeat you do not need the .ps1 in the GitHub for this to get imported and detecting.

Usage:

1) Import XML Script (twice). If you are still having problems following the second import, reload system cache.
2) Ensure EDFs have created by opening an Agent, going to EDFs, going to the Meltdown and Spectre Detection Section
3) Make sure EDFs are all there
4) Run the script (by default, this imports into Scripts > Meltdown and Specte Detection), against an agent, which will populate the EDFs

But how do I actually fix this?

1) Install the January 2018 Security Updates that were released a few days ago. These will only install if your AV provider has added a specific reg key in to indicate it works with your current AV provider.

2) Install the latest BIOS/Firmware upgrade from your hardware provider (Dell released a batch last night)

3) Follow instructions here to add relevant registry keys to enable the mitigations: https://support.microsoft.com/en-hk/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

This requires a reboot after Step 3.

Feedback and improvements welcome!

 

 

 

  • Like 3
  • Thanks 5

Share this post


Link to post
Share on other sites

Thanks for the hours and thought you've put into this, Gavsto. I'm rolling this out now for detection and audit purposes.  We're waiting on taking remediation steps until WR and other AV vendors push their new release. 

Cheers

Share this post


Link to post
Share on other sites

Wow, that is awesome Gavsto. I will try this out and report back how it goes. If I can think of any improvements, I will look to make them and share them as well. 

Share this post


Link to post
Share on other sites

Hi! Geat work ! I have done the import twice, and se ot under EDF. But cant find the script under scripts....? Im running V12....

 

UPDATE: My bad....slow server did not update the scripts view...! Ill see it now

Edited by stefanjansson

Share this post


Link to post
Share on other sites

Folks,

It seems there is a bug with this script. I have been using this script with gratitude for almost a day, and it seems most of the time it is accurate. However I have come across two client servers, both running Windows Server 2008 R2 where the EDF for "Hardware requires kernel VA Shadowing" is not being set correctly for some reason. I can see the result coming back from the agents is correct (the value is True), however the associated EDF is not checked, even after refreshing the agent. I tried to see if I could diagnose it in the scripts, however it is beyond my skillset. It could also be an issue with Automate (I'm running 11.0.418 Patch 17). I just thought I would update in case others are seeing this as well. 

Regards, cgracie.

Share this post


Link to post
Share on other sites

Looking good Gavsto!! Those two systems are now showing the right info in the EDFs. You are the man, many thanks for your efforts!!

Share this post


Link to post
Share on other sites

Hi, sorry first time posting.  I have imported the XML and can run the script and see the EDF.  However the script says it is waiting.  Can you please let me know what I should check to see why.

 

We are running labtech 11.0.353.

Robin

Share this post


Link to post
Share on other sites

Hi Pointy,

I would reach out to Labtech about that, or at least try restarting the agent. We are finding the script from Gavsto runs quite rapidly. (ie.less than a minute). Make sure you imported the script twice though, that is not a joke. 

Regards, Cam.

Share this post


Link to post
Share on other sites

Hi we are fairly new with customizing LT. Is there something that I am supposed to run to check the EDF boxes? We have the EDFs listed.

Share this post


Link to post
Share on other sites

Has anyone attempted to automate installing the BIOS updates required for this (where available)?  For the most part, the patches and registry keys were already relatively straightforward to script (though I did install the EDFS, thanks Gavsto), but that's honestly a pretty small portion of the overall work required here.

Share this post


Link to post
Share on other sites
35 minutes ago, darrinpio said:

Hi we are fairly new with customizing LT. Is there something that I am supposed to run to check the EDF boxes? We have the EDFs listed.

You need to import the XML files then run the script "Meltdown and Spectre Detection" on the agents you want to check.

The EDF's are created and populated by the script.

Share this post


Link to post
Share on other sites

By the same exact script? So I need to run the script twice? I am on hold with LT chat. But I can see the scripts under "view scripts" but at the client level, some of the scripts are not available to run.

Share this post


Link to post
Share on other sites
4 minutes ago, darrinpio said:

By the same exact script? So I need to run the script twice? I am on hold with LT chat. But I can see the scripts under "view scripts" but at the client level, some of the scripts are not available to run.

I just ran the script that was imported into the folder "Meltdown and Spectre Detection" which is also called "Meltdown and Spectre Detection" - that created and populated the EDF's.

Edited by szkoda

Share this post


Link to post
Share on other sites

Thanks for the scripts!

I've been wondering, has anyone created any monitors to check for the existence of the relevant registry entries, or would there be a better approach? 

For instance, the QualityCompat key that needs to be in place for the January updates to install, I'm thinking it would be nice to be alerted if machines are missing it, or if future new machines that come online are missing that key. 

According to the last MS bulletin I saw, that key is going to be required for the January, and all future Security updates to install.

 

Side note --- does anyone know if the check for that registry key is a function of the installation file, or a function of windows update itself. I'm wondering if by using Labtech, it might ignore checking for that key.

Share this post


Link to post
Share on other sites

First, thank you for creating this, much appreciated!  

Secondly -- pardon my ignorance, but are the registry changes (e.g. Hyper-V host mitigation) absolutely required as well, or does that Windows patch / BIOS update solve everything?  Wondering why the Windows patch wouldn't take care of those changes where applicable...

 

 

Share this post


Link to post
Share on other sites

I found with our installation that EDF's do not get recognised until after restarting the LT console.

I imported the script, then tried to open it and received errors.

Restarted the console and then able to open the scripts.

 

oh, and thanks for the script!  Love ya work!

 

Cheers,

Roger

Share this post


Link to post
Share on other sites

My virtual machines tell me the next step is to install BIOS/Firmware update. I'm not sure why, anyone else see this? (Host is VMware fully patched already along with VMware VM patches)

Share this post


Link to post
Share on other sites

Hi Gavsto,

Which is the one xml file I need to import? I can see 4 different ones in that 'Automate Scripts' folder.

Is it the one with this description: "Two new EDFs - one for AV key detected and another for date last ran" ?

@Gavsto ?

Thanks!

Edited by EssentialSteve

Share this post


Link to post
Share on other sites
On 1/12/2018 at 7:21 AM, dcancela said:

My virtual machines tell me the next step is to install BIOS/Firmware update. I'm not sure why, anyone else see this? (Host is VMware fully patched already along with VMware VM patches)

If this is a Hyper-V host and the firmware updates have been applied: fully shutdown all Virtual Machines (to enable the firmware related mitigation for VMs you have to have the firmware update applied on the host before the VM starts).

Restart the server for changes to take effect.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×