panagenda MarvelClient and how it can help with Meltdown/Spectre
Recently a new class of vulnerabilities have been disclosed, related to “speculative execution” – a feature on modern processors to optimize performance. These vulerabilities allow an attacker to access the memory of other processes or the operating system, and even to get to memory locations outside of a virtual machine it is running in.
Named Meltdown and Spectre, these are considered “catastrophic” by security researchers, and a flurry of OS and firmware patches has been issued to deal with them. Since it provides a challenge for IT departments, we decided put a little something together to help you out a bit. Microsoft has released PowerShell scripts that can detect whether a machine is vulnerable or not; we’ve gone ahead and wrapped them in some code (so they are easier to use), and added them as example actions to the upcoming MarvelClient template release.
How it works
The script “run.cmd” starts the PowerShell scripts for you. As the single (mandatory) argument it takes the path to an ini file where it will put the results. This will usually be the notes.ini, so MarvelClient can use existing reporting functionality to get the information into your Analyze database.
It writes the following ini variables:
- $MC_SecChk_LastRun – the date of the scan
- $MC_SecChk_IsMeltdownVulnerable – 0 (not vulnerable), 1 (vulnerable), or empty (could not determine)
- $MC_SecChk_IsSpectreVulnerable – 0 (not vulnerable), 1 (vulnerable), or empty (could not determine)
In MarvelClient, you simply have a File Deployment action and a Run Program action, which you can generate from the example actions. From that point on you can monitor the current state in the Notes.INI views in your Analyze database.