Recently a new class of vulnerabilities have been disclosed, related to “speculative execution” – a feature on modern processors to optimize performance. These vulerabilities allow an attacker to access the memory of other processes or the operating system, and even to get to memory locations outside of a virtual machine it is running in.
Named Meltdown and Spectre, these are considered “catastrophic” by security researchers, and a flurry of OS and firmware patches has been issued to deal with them. Since it provides a challenge for IT departments, we decided put a little something together to help you out a bit. Microsoft has released PowerShell scripts that can detect whether a machine is vulnerable or not; we’ve gone ahead and wrapped them in some code (so they are easier to use), and added them as example actions to the upcoming MarvelClient template release.
How it works
The script “run.cmd” starts the PowerShell scripts for you. As the single (mandatory) argument it takes the path to an ini file where it will put the results. This will usually be the notes.ini, so MarvelClient can use existing reporting functionality to get the information into your Analyze database.
It writes the following ini variables:
- $MC_SecChk_LastRun – the date of the scan
- $MC_SecChk_IsMeltdownVulnerable – 0 (not vulnerable), 1 (vulnerable), or empty (could not determine)
- $MC_SecChk_IsSpectreVulnerable – 0 (not vulnerable), 1 (vulnerable), or empty (could not determine)
In MarvelClient, you simply have a File Deployment action and a Run Program action, which you can generate from the example actions. From that point on you can monitor the current state in the Notes.INI views in your Analyze database.
Can’t wait for the next MarvelClient template release?
If you are curious, want to do it right now, and/or don’t have MarvelClient, here are the files needed and how you can use them:
(download the archive to your machine and unzip it)
After downloading the files do the following in MarvelClient:
1) Create a new File Deployment action
- Disable it
- Give it a title
- Set it to run “After Login”
- Click the “+”-sign in the first line and select all 4 files you have downloaded and unzipped
- Set the Target to:
- Save it
2) Create a new Run Program action
- Disable it
- Give it a title
- Make sure only the Runtype “After login” is selected.
- Set the Programpath to:
- Set the Parameters to:
/c""<mc:working_directory>\meltdown_spectre\run.cmd" "<notes:notes_ini_path>" /s/q"
- Set Action to “Open”
- Set Visibility to “Invisible”
- Set Wait to “Do not wait for program to finish”
- Save it
3) Limit the actions: When
- Go to the When tab in both actions
- The File Deployment action should run “Once only” and should “Keep local exec. info”
- The Run Program action can have any “Repeat?” setting – if you want to monitor deployment of your patches over time, “Once a day only” would be the best choice, for a one-time inventory “Once only” would be appropriate.
- Limit both actions with conditions if you want to (but both should have the same conditions)
4) Limit the actions: Who
- Go to the Who tab in both actions
- Limit both to users/groups (make sure both have the same settings here)
- It would be a good idea to first test them, so limit the actions to the test user(s)
5) Enable the actions
- Look the settings over and check their correctness
- Enable both actions
The check will now run during Notes Client startup and will report its findings into the notes.ini. If you have configured a backup action that uploads the notes.ini, you can find it in the Analyze database in the view “Notes.INI\by Notes.INI Entry”.
Of course, feel free to change the directory where you put the files (make sure to change it in both actions), or run the actions with different runtypes.
From a command prompt, navigate to the directory where you put the 4 files, and then simply use the following line:
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.