Here we are at the start of 2018 with a very bad news. Once again, a significant security issue has been discovered by several independent researchers. The CPU vulnerabilities known as Meltdown and Spectre were discovered in January 2018. These vulnerabilities allow programs to steal data by reading data from other programs. It means that a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. In this article, we will discuss about this new challenge for Sysadmin.

Who is affected?

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

Affected chips include those manufactured by Intel, AMD, and ARM. On top of that, devices running other operating systems such as Android, Chrome, iOS, and MacOS are also affected.

The good news is that Intel released a fix, but the bad news is the performance impact. Intel reveals possible slowdowns from ‘Meltdown’ processor fix. So the Meltdown fix can make some machines slower, before patching your machines, check the performance impact in your test environment, especially your SQL Servers.

Don’t forget to apply firmware updates to be safe. So you must check with your hardware vendor if a new version is available or not.

Download Banner

What Microsoft said?

“Antivirus updates should be installed first. Then make sure Windows automatic updates is turned on. If automatic updates is turned on, the updates will be automatically installed.”

The following article discusses the impact of these vulnerabilities and provides resources to help keep devices protected: https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown

How to Monitor Meltdown and Spectre?

First option: You can use the PowerShell module which is called “SpeculationControl” to check protection status. To help customers verify that protections are enabled, Microsoft has published a PowerShell script that customers can run on their systems. This module can be easily installed with the following commands:

Monitoring Meltdown and Spectre Vulnerabilities using SCCM

This module requires at least Windows PowerShell 5.1. The output of this PowerShell cmdlet will look like the following:

Monitoring Meltdown and Spectre Vulnerabilities using SCCM

Note: Don’t forget to right-click and run PowerShell console as an administrator.

You can also download the module from TechNet Gallery: https://aka.ms/SpeculationControlPS

PS> CD C:\Temp\SpeculationControl

PS> Import-Module .\SpeculationControl.psd1

PS> Get-SpeculationControlSettings

Second option: You can use SCCM to monitor these vulnerabilities.

Thanks to SCCM and compliance module, you can determine if your workstations and servers received the OS patch from Microsoft to mitigate Spectre and Meltdown. The Configuration Manager Team published a configuration baseline which will help you to monitor Meltdown and Spectre. So the first thing to do is to download the .CAB file from the TechNet Gallery: https://gallery.technet.microsoft.com/Speculation-Execution-Side-1483f621

Why do you must use this SCCM baseline?

This Compliance Settings configuration baseline is used to confirm whether a system has enabled the protections needed to protect against the speculative-execution side-channel vulnerabilities. This baseline is based on the functionality in the PowerShell module “SpeculationControl”.

How to import this SCCM baseline?

I will describe in this article how to import the baseline. Once the CAB file has been downloaded, you can open the SCCM console and navigate to:

  • Assets and Compliance
  • Overview
  • Compliance Settings

Monitoring Meltdown and Spectre Vulnerabilities using SCCM

Right-Click on “Configuration Items” and select “Import Configuration Data”:

Monitoring Meltdown and Spectre Vulnerabilities using SCCM

Import the CAB file that you previously download:

Monitoring Meltdown and Spectre Vulnerabilities using SCCM

Monitoring Meltdown and Spectre Vulnerabilities using SCCM

The wizard will import the configuration data into your SCCM console.

Monitoring Meltdown and Spectre Vulnerabilities using SCCM

This CAB file will import two Configuration Items:

  • CI: CVE-2017-5715 – Branch target injection
  • a. Windows OS support for branch target injection mitigation is enabled
    b. Hardware support for branch target injection mitigation is present
    c. Windows OS support for branch target injection mitigation is present
    d. Windows OS support for branch target injection mitigation is disabled by absence of hardware support
    e. Windows OS support for branch target injection mitigation is disabled by system policy

  • CI: CVE-2017-5754 – Rogue data cache load
  • a. Windows OS support for kernel VA shadow is present
    b. Windows OS support for kernel VA shadow is enabled

Monitoring Meltdown and Spectre Vulnerabilities using SCCM

Close the wizard and go to the Compliance section to confirm that you can see the Configuration Items:

Monitoring Meltdown and Spectre Vulnerabilities using SCCM

And the SCCM baseline has been imported:

Monitoring Meltdown and Spectre Vulnerabilities using SCCM

We need to create a new devices collection to deploy and test the baseline. I called this collection “Check Compliance Vulnerabilities”:

Monitoring Meltdown and Spectre Vulnerabilities using SCCM

Right-click on your baseline, and select “Deploy”:

Monitoring Meltdown and Spectre Vulnerabilities using SCCM

Confirm the selected configuration baseline (1), select the collection for this configuration baseline deployment (2), specify the evaluation schedule (3) and confirm by clicking “OK” (4).

Monitoring Meltdown and Spectre Vulnerabilities using SCCM

On your SCCM clients, open the SCCM agent and refresh the machine policy. Wait a few seconds and you will notice a new configuration. If the configuration is not listed, Refresh until the configuration appears.

When the configuration is available, you can click “Evaluate” to check if the client is compliant or not:

Monitoring Meltdown and Spectre Vulnerabilities using SCCM

In my case, the device is not compliant. So I can check the report by clicking “View Report”. SCCM will generate the HTML report in the Temp folder:

Monitoring Meltdown and Spectre Vulnerabilities using SCCM

If you need more information, you can click on the CI:

Monitoring Meltdown and Spectre Vulnerabilities using SCCM

Monitoring Meltdown and Spectre Vulnerabilities using SCCM

Useful links

Below are some useful links to keep informed about these vulnerabilities:

Conclusion

Thanks to the great work of the Configuration Team and PowerShell Team, we can now monitor easily the Meltdown and Spectre vulnerabilities in our environment. The SCCM baseline has been tested on my environment:

  • SCCM 1710
  • Windows 8.1, Windows 10 client
  • Windows Server 2016

and it works without any issue.

Experience modern data protection with this latest Vembu BDR Suite v.3.8.0 FREE edition. Try the 30 days free trial here: https://www.bdrsuite.com/vembu-bdr-suite-download/

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Rate this post