01/09/2018 update: added a Report and another CIR.
Scriptchangelog from Microsoft:
Added message directing users to explanation of outputAddressed feedback regarding multiple CPUs when setting $cpu
02/02/2018 update: corrected & updated the vulnerable report. Added a new report with secured devices.
Vulnerable Report: Download
Secured Report: Downlaod
For an official statement from quest please visit: https://support.quest.com/kb/237193
Hi all,
Hi all,
here a quick blog to check the hardware vulnarabilities CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 or better known as Spectre and Meltdown.
I am using the Microsoft security guidance ADV180002 as base script with KACE modifications.
The outcome of this blog will be that you can easily see, filter, report and label all your Windows clients higher than Windows 7 SP1 or Server 2012 R2 which are vulnerable or secure against Spectre and / or Meltdown. To archive this we first need a script.
The script can be found in the downloaded "Spectre_Meltdown.zip".
If you need assistance to import it to your KACE SMA (K1000) please feel free to contact me.
The script will create the logfile: "C:\Windows\Logs\KACE_CPU_Check.log" and rewrite it every time.
To have the posibility to search, label and report these data we need a CustomInventoryRule.
The can be found in the downloaded "Spectre_Meltdown.zip".
After that you should be able to filter everything like you know to do it.
Enabled protections appear in the output as "true".
Example for filtering for vulnerable devices:
If you go to the details you would see that this device is vulnerable against both.
Now you want to check with one click which devices are vulnerable and compatible to get patches through patching. To do that we first need again a custom inventory which checks if the compatibility registry key is available.This can also be found in the downloaded "Spectre_Meltdown.zip".
The next step is to import the two reports which are stored in the the downloaded "Spectre_Meltdown.zip". The first report will show all vulnerable devices. The second report will list all devices which are secure.
You can modify / add / delete everything wihtin the scripts, custom inventories or SQL-Reports.
If you rename your custom inventory rules change the names in the SQL query too.
Cheers Timo
https://support.symantec.com/en_US/article.TECH248545.html
Here is a quick custom inventory rule to check your machines for the ERASER driver version:
ShellCommandTextReturn(reg query HKLM\SYSTEM\CurrentControlSet\Services\eeCtrl\Parameters\Clients /v /f EraserUtilDrv*)
If this includes "EraserUtilDrv11730", what seems to be the latest version of the ERASER driver now (January 9th 2018) you should be able to install these Microsoft updates.
Installation of compatible ERASER drivers (comes through a definition update by the way) seems to set the QualityCompat-registry value (https://support.microsoft.com/en-hk/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software) - chrpetri 6 years ago
I double checked and my private device with Symantec Endpoint Protections Small Business Edition already got the update and the registry key.
Regards
Timo - Timokirch 6 years ago
I have imported the scripts and have enabled and ran the "Meltdown & Spectre Analysis" script and am ready to run the "Spectre & Meltdown vulnerable and ready to patch" report, but pardon my ignorance, how do I use the CustomInventory Software packages you created? - Shock 6 years ago
after you imported the custom Inventory Packages you'll find them in "Inventory/Software" section if you search for "Inventory" (that's the name i gave them). They wil be checked at each inventory. Please double-check the "Supported Operating Systems" setting to match your enviroment. These inventory settings will be checked then on every device inventory. There is nothing more to do because the report will automaticly use the data from theses inventory rules. If you want to double check the results you can go to the device details and check the "custom inventory fields" section.
Regards
Timo - Timokirch 6 years ago
you already should see the Patches in your catalog.
Regards
Timo - Timokirch 6 years ago
you can find the the Mircosoft Patches released in January in your Patchcatalog- make shure that this is up to date. Dell Bios Updates should be available as soon as Dell puts them into ther packages. Until now they are availabnle for deployment here:
http://www.dell.com/support/article/us/en/19/sln308587/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-products?lang=en
http://www.dell.com/support/article/de/de/debsdt1/sln308588/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-emc-products-dell-enterprise-servers-storage-and-networking-?lang=en
Regards
Timo - Timokirch 6 years ago
SELECT
Unix_Timestamp(KBSYS.PATCHLINK_PATCH.RELEASEDATE) AS DATEPOSTED_SECONDS,
KBSYS.PATCHLINK_PATCH.IS_APP,
KBSYS.PATCHLINK_PATCH.IMPACTID AS DESCRIPTION,
KBSYS.PATCHLINK_PATCH.RELEASEDATE AS DATEPOSTED,
KBSYS.PATCHLINK_PATCH.IS_SUPERCEDED,
KBSYS.PATCHLINK_PATCH.DESCR,
KBSYS.PATCHLINK_PATCH.ID AS BID,
KBSYS.PATCHLINK_PATCH.UID AS UID,
KBSYS.PATCHLINK_PATCH.IDENTIFIER AS BULLETINID,
KBSYS.PATCHLINK_PATCH.STATUSID AS STATUS,
KBSYS.PATCHLINK_PATCH.TYPE,
KBSYS.PATCHLINK_PATCH.VENDOR,
PATCHLINK_PATCH_COUNT.UNPATCHED,
Year(KBSYS.PATCHLINK_PATCH.RELEASEDATE) AS DATEPOSTED_YEAR,
PATCHLINK_PATCH_COUNT.PATCHED,
KBSYS.PATCHLINK_PATCH.TITLE,
KBSYS.PATCHLINK_IMPACT.IMPACT_SEQ,
PATCHLINK_PATCH_STATUS.STATUS AS PATCH_STATUS,
KBSYS.PATCHLINK_PATCH.CACHE_SIZE AS CACHE_SIZE,
KBSYS.PATCHLINK_PATCH.ID AS TOPIC_ID
FROM
KBSYS.PATCHLINK_PATCH
LEFT JOIN PATCHLINK_PATCH_COUNT ON PATCHLINK_PATCH_COUNT.PATCHUID = KBSYS.PATCHLINK_PATCH.UID
JOIN KBSYS.PATCHLINK_IMPACT ON KBSYS.PATCHLINK_IMPACT.IMPACT = KBSYS.PATCHLINK_PATCH.IMPACTID
LEFT JOIN PATCHLINK_PATCH_STATUS ON PATCHLINK_PATCH_STATUS.PATCHUID = KBSYS.PATCHLINK_PATCH.UID
WHERE
KBSYS.PATCHLINK_PATCH.VENDOR LIKE '%Microsoft%' AND
KBSYS.PATCHLINK_PATCH.IS_SUPERCEDED = '0' AND
((KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056890%') OR
(KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056893%') OR
(KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056892%') OR
(KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056891%') OR
(KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056895%') OR
(KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056568%') OR
(KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056894%') OR
(KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056888%') OR
(KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4057114%') OR
(KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4057113%') OR
(KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4058560%') OR
(KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4058559%') OR
(KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4057118%') OR
(KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4058561%') OR
(KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4057122%') OR
(KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4058562%') OR
(KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056897%') OR
(KBSYS.PATCHLINK_PATCH.TITLE LIKE '%KB4056898%')) - chrpetri 6 years ago
can you double-check that you wrote the regkey to HKLM64? If you use the default HKLM KACE will use the 32 bit registry.
Regards
Timo - Timokirch 6 years ago
We are using HKLM64.
Set “HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat”.
Set “HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat!cadca5fe-87d3-4b96-b7fb-a231484277cc” to “0x00000000”.
It seems to set it correctly but KACE does not detect it until we do a reboot. Is a reboot normally required?
Thanks - eric.samuelson 6 years ago
Kace should detect the key (if set correctly) after an inventory of the device and with my CIR imported. Can you double-check what happens if you set the key manualy?
Regards
Timo - Timokirch 6 years ago
I am kind of new at using KACE and was wondering if you could give me some assistance on how to import the Spectre/Meltdown report you created on a KACE 1000?
I would like to run a report to see what machines do not have the KB files installed.
Doing some research I found the following KB files that need to be installed:
KB4056892
KB4056897
Thank you.
Jon. - Stikino 6 years ago
welcome to the KACE team :)
Importing is realy easy - just follow the guidlines here: https://support.quest.com/technical-documents/kace-sma/8.0/administrator-guide/74#TOPIC-829006
If you need a special report for your listed KB's then you can reuse the SQL-Statement posted by chrpetri above. Here you can find a detailed guide to save this report to your appliance: https://support.quest.com/technical-documents/kace-sma/8.0/administrator-guide/191#TOPIC-829475
If there is anything unclear or still help needed ask you local sales rep from quest or you local distribution partner to get in touch with us.
Best regards
Timo - Timokirch 6 years ago
Thanks for your help greatly appreciated.
Best,
Jon. - Stikino 6 years ago
I too am kind of new at using KACE, but we also have a network issue that prohibits us from turning on the Samba share. Would it be possible to share the text of this, such that I can recreate the scripts?
Thanks, Duane - Duane 6 years ago
**********************
Windows PowerShell transcript start
Start time: 20180117095621
Username :
Machine : (Microsoft Windows NT 6.1.7601 Service Pack 1)
**********************
**********************
Windows PowerShell transcript end
End time: 20180117095624
********************** - anonymous_138311 6 years ago
I'm having an issue with the script. It ran on some computers, but failed for 90% with the error message:
Running as SYSTEM
Import-Module : The 'C:\ADV180002\SpeculationControl.psd1' module cannot be imp
orted because its manifest contains one or more members that are not valid. The
valid manifest members are ('ModuleToProcess', 'NestedModules', 'GUID', 'Autho
r', 'CompanyName', 'Copyright', 'ModuleVersion', 'Description', 'PowerShellVers
ion', 'PowerShellHostName', 'PowerShellHostVersion', 'CLRVersion', 'DotNetFrame
workVersion', 'ProcessorArchitecture', 'RequiredModules', 'TypesToProcess', 'Fo
rmatsToProcess', 'ScriptsToProcess', 'PrivateData', 'RequiredAssemblies', 'Modu
leList', 'FileList', 'FunctionsToExport', 'VariablesToExport', 'AliasesToExport
', 'CmdletsToExport'). Remove the members that are not valid ('RootModule'), th
en try to import the module again.
Any ideas?
Thanks! - antz96 6 years ago
I had the same error at first but found in zip file the SpeculationControl.psd1 file has a line RootModule = 'SpecuationControl.psm1'. This is a feature of newer versions of Powershell. But if you comment out and add or change the line to ModuleToProcess = 'SpeculationControl.psm1' then the script should work on machines with both older and newer versions of Powershell. - anonymous_138311 6 years ago
Thanks for the help. I made that change, but I'm still getting the same error. I make the changes in the \\k1000\client\PAYLOAD directory, correct? - antz96 6 years ago
You have to go into the script, under Dependencies, download SpeculationControl_KACE.zip. Make the change periwinkle outlined, save the SpeculationControl.psm1 file then zip the contents back up. Now back under the script delete the old SpeculationControl_KACE.zip and upload your edited one. - NateCanDo 6 years ago
sorry for the delayed answer. Thank you all very much for these informations and workarounds you have shared. I will modify the script on friday and reupload it as ready to use package.
Best Regards
Timo - Timokirch 6 years ago
Even with periwinkle's workaround, I still get most of my machines that fail while running the script. If I view the logs of the "failed" runs, however, it appears that it has run correctly, the script just doesn't write the contents to the KACE_CPU_Check.log file. Here are the contents of the script log of a "failed execution" machine:
Running as SYSTEM
Transcript started, output file is C:\Windows\Logs\KACE_CPU_Check.log
Speculation control settings for CVE-2017-5715 [branch target injection]
For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is enabled: False
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: False
Windows OS support for kernel VA shadow is enabled: False
Suggested actions
* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
* Install the latest available updates for Windows with support for speculation control mitigations.
* Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119
BTIHardwarePresent : False
BTIWindowsSupportPresent : False
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : False
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
Transcript stopped, output file is C:\Windows\Logs\KACE_CPU_Check.log
Creating process returned non-zero: C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\370\kace5329.bat : (0) The operation completed successfully.
Error Code: 0
Status Code: 1
Activity Log
verify - on_verify_success
verify - on_verify_failure
verify - file_unzip
Unzipping file: C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\370\SpeculationControl_KACE.zip C:\ADV180002
verify - launch_program
Launching program: 'C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\370\kace5329.bat' '' wait='true'
Debug Log
Running kbot: runkbot 370 1516640153
KBotScript::LogScriptInfo - Start
id=370 name=Meltdown & Spectre Analysis version=1516640153 type=policy
execute disconnected=false logged_off=true
execute events
KBotScript::LogScriptInfo - Finish
KBotScript::LogScriptInfo - Start
id=370 name=Meltdown & Spectre Analysis version=1516640153 type=policy
execute disconnected=false logged_off=true
execute events
KBotScript::LogScriptInfo - Finish
KBotScriptManager::CleanupDependencies - clean up dependencies in kbot directory C:\ProgramData\Dell\KACE\kbots_cache\\packages\kbots\370\
CleanupDependencies: file kace5329.bat is part of the dependency list, keep the file
CleanupDependencies: file C:\ProgramData\Dell\KACE\kbots_cache\\packages\kbots\370\kace9023.bat is no longer needed, clean it up
CleanupDependencies: file C:\ProgramData\Dell\KACE\kbots_cache\\packages\kbots\370\kace_cpu.ps1 is no longer needed, clean it up
CleanupDependencies: file C:\ProgramData\Dell\KACE\kbots_cache\\packages\kbots\370\SpeculationControl.psd1 is no longer needed, clean it up
CleanupDependencies: file C:\ProgramData\Dell\KACE\kbots_cache\\packages\kbots\370\SpeculationControl.psm1 is no longer needed, clean it up
CleanupDependencies: file SpeculationControl_KACE.zip is part of the dependency list, keep the file
runkbot ----- launching [path='C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\370' program='kace5329.bat' parms='' wait='true'] -----
And here are the contents of his KACE_CPU_Check.log:
**********************
Windows PowerShell Transcript Start
Start time: 20180122105836
Username : DOMAIN\SYSTEM
Machine : *pc name removed* (Microsoft Windows NT 6.1.7601 Service Pack 1)
**********************
**********************
Windows PowerShell Transcript End
End time: 20180122105837
********************** - NateCanDo 6 years ago
Then in the batch file I change the part that runs powershell to output to file like this:
Powershell.exe -executionpolicy RemoteSigned -Command "& C:\ADV180002\kace_cpu.ps1 > C:\Windows\Logs\KACE_CPU_Check.log"
Finally in the kace_cpu.ps1 file I removed the parts for start-transcript and stop-transcript.
The text in the log file came out looking like this. A little more condensed but the output came out correct:
Speculation control settings for CVE-2017-5715 [branch target injection]
For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is enabled: False
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: False
Windows OS support for kernel VA shadow is enabled: False
Suggested actions
*
Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
*
Install the latest available updates for Windows with support for speculation control mitigations.
*
Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119
BTIHardwarePresent : False
BTIWindowsSupportPresent : False
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : False
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
I'd post screenshots or upload my files but don't know how to do that here. - anonymous_138311 6 years ago
Batch file:
=====================
@echo off
cd C:\ADV180002
Powershell.exe -executionpolicy remotesigned -File C:\ADV180002\kace_cpu.ps1
set folder="C:\ADV180002"
cd /d %folder%
for /F "delims=" %%i in ('dir /b') do (rmdir "%%i" /s/q || del "%%i" /s/q)
cd C:\
IF EXIST "C:\ADV180002" (
rmdir "C:\ADV180002" /s /q
)
============================
kace_cpu.ps1:
Import-Module .\SpeculationControl.psd1
$ErrorActionPreference="SilentlyContinue"
# Stop-Transcript | out-null
$ErrorActionPreference = "Continue"
# Start-Transcript -path C:\Windows\Logs\KACE_CPU_Check.log
Get-SpeculationControlSettings
# Stop-Transcript
============================
Script Activity Log:
verify - on_verify_success
verify - on_verify_failure
verify - file_unzip
Unzipping file: C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\168\SpeculationControl_KACE.zip C:\ADV180002
verify - launch_program
Launching program: 'C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\168\kace5836.bat' '' wait='true'
==============================
Script Debug Log:
Running kbot: runkbot 168 1518213877
KBotScript::LogScriptInfo - Start
id=168 name=Meltdown & Spectre Analysis version=1518213408 type=policy
execute disconnected=false logged_off=true
execute events
KBotScript::LogScriptInfo - Finish
KBotScript::LogScriptInfo - Start
id=168 name=Meltdown & Spectre Analysis version=1518213408 type=policy
execute disconnected=false logged_off=true
execute events
KBotScript::LogScriptInfo - Finish
KBotScriptManager::CleanupDependencies - clean up dependencies in kbot directory C:\ProgramData\Dell\KACE\kbots_cache\\packages\kbots\168\
CleanupDependencies: file kace5836.bat is part of the dependency list, keep the file
CleanupDependencies: file SpeculationControl_KACE.zip is part of the dependency list, keep the file
runkbot ----- launching [path='C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\168' program='kace5836.bat' parms='' wait='true'] ----- - cbranson 6 years ago
- create a script to suspend it via powershell (or CMD)
- Apply updates
- Bitlocker should turn itself back on after BIOS updates and reboot
Does anyone know of a way to combine both Scripting and Dell Updates into one? Or do we know specifically if Dell Updates does this for us if detected? - davidgellner 6 years ago