Security-Bug: Meltdown and Spectre: Unterschied zwischen den Versionen

Aus Wiki-WebPerfect
Wechseln zu: Navigation, Suche
 
(8 dazwischenliegende Versionen des gleichen Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
=== Information ===
+
== Information ==
BTI is Branch Target Injection as described in CVE-2017-5715[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715] alias Spectre[https://spectreattack.com/].
+
''Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.''
KVA checks OS mitigation against CVE-2017-5754[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754] alias Meltdown[https://spectreattack.com/]
+
  
 +
''Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.''
  
 +
=== Meltdown ===
 +
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. <br>
 +
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.
  
 +
=== Spectre ===
 +
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. <br>
 +
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.
  
=== PowerShell Check Function (Version 1.0.2) ===
+
 
 +
 
 +
'''BTI''' is Branch Target Injection as described in CVE-2017-5715[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715] alias Spectre[https://spectreattack.com/]. <br>
 +
'''KVA''' checks OS mitigation against CVE-2017-5754[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754] alias Meltdown[https://spectreattack.com/] <br>
 +
 
 +
 
 +
 
 +
 
 +
== PowerShell Check Function (Version 1.0.8) ==
 +
'''Information'''
 
  BTIHardwarePresent is true if the Hardware supports a mitigation. Check for BIOS/firmware updates provided by your device OEM.
 
  BTIHardwarePresent is true if the Hardware supports a mitigation. Check for BIOS/firmware updates provided by your device OEM.
 
  BTIWindowsSupportPresent is true if the required Windows security update is installed.
 
  BTIWindowsSupportPresent is true if the required Windows security update is installed.
Zeile 22: Zeile 37:
 
   This function queries the speculation control settings for the system.
 
   This function queries the speculation control settings for the system.
  
   Version 1.3.
+
   .PARAMETER Quiet
 +
  This parameter suppresses host output that is displayed by default.
 
    
 
    
 
   #>
 
   #>
Zeile 28: Zeile 44:
 
   [CmdletBinding()]
 
   [CmdletBinding()]
 
   param (
 
   param (
 
+
    [switch]$Quiet
 
   )
 
   )
 
    
 
    
Zeile 47: Zeile 63:
  
 
     try {
 
     try {
   
+
 
 +
        $cpu = Get-WmiObject Win32_Processor
 +
 
 +
        if ($cpu -is [array]) {
 +
            $cpu = $cpu[0]
 +
        }
 +
 
 +
        $manufacturer = $cpu.Manufacturer
 +
 
         #
 
         #
 
         # Query branch target injection information.
 
         # Query branch target injection information.
 
         #
 
         #
  
         Write-Host "Speculation control settings for CVE-2017-5715 [branch target injection]" -ForegroundColor Cyan
+
         if ($Quiet -ne $true) {
        Write-Host
+
       
 +
            Write-Host "Speculation control settings for CVE-2017-5715 [branch target injection]" -ForegroundColor Cyan
 +
            Write-Host "For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629" -ForegroundColor Cyan
 +
 
 +
            if ($manufacturer -eq "AuthenticAMD") {
 +
                Write-Host "AMD CPU detected: mitigations for branch target injection on AMD CPUs have additional registry settings for this mitigation, please refer to FAQ #15 at https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002" -ForegroundColor Cyan
 +
            }
 +
 
 +
            Write-Host
 +
        }
  
 
         $btiHardwarePresent = $false
 
         $btiHardwarePresent = $false
Zeile 60: Zeile 93:
 
         $btiDisabledBySystemPolicy = $false
 
         $btiDisabledBySystemPolicy = $false
 
         $btiDisabledByNoHardwareSupport = $false
 
         $btiDisabledByNoHardwareSupport = $false
 +
 +
        $ssbdAvailable = $false
 +
        $ssbdHardwarePresent = $false
 +
        $ssbdSystemWide = $false
 +
        $ssbdRequired = $null
 
      
 
      
 
         [System.UInt32]$systemInformationClass = 201
 
         [System.UInt32]$systemInformationClass = 201
Zeile 82: Zeile 120:
 
             [System.UInt32]$scfHwMode2Present = 0x40
 
             [System.UInt32]$scfHwMode2Present = 0x40
 
             [System.UInt32]$scfSmepPresent = 0x80
 
             [System.UInt32]$scfSmepPresent = 0x80
 +
 +
            [System.UInt32]$scfSsbdAvailable = 0x100
 +
            [System.UInt32]$scfSsbdSupported = 0x200
 +
            [System.UInt32]$scfSsbdSystemWide = 0x400
 +
            [System.UInt32]$scfSsbdRequired = 0x1000
  
 
             [System.UInt32]$flags = [System.UInt32][System.Runtime.InteropServices.Marshal]::ReadInt32($systemInformationPtr)
 
             [System.UInt32]$flags = [System.UInt32][System.Runtime.InteropServices.Marshal]::ReadInt32($systemInformationPtr)
Zeile 94: Zeile 137:
 
             }
 
             }
  
             if ($PSBoundParameters['Verbose']) {
+
            $ssbdAvailable = (($flags -band $scfSsbdAvailable) -ne 0)
 +
 
 +
            if ($ssbdAvailable -eq $true) {
 +
                $ssbdHardwarePresent = (($flags -band $scfSsbdSupported) -ne 0)
 +
                $ssbdSystemWide = (($flags -band $scfSsbdSystemWide) -ne 0)
 +
                $ssbdRequired = (($flags -band $scfSsbdRequired) -ne 0)
 +
            }
 +
 
 +
             if ($Quiet -ne $true -and $PSBoundParameters['Verbose']) {
 
                 Write-Host "BpbEnabled                  :" (($flags -band $scfBpbEnabled) -ne 0)
 
                 Write-Host "BpbEnabled                  :" (($flags -band $scfBpbEnabled) -ne 0)
 
                 Write-Host "BpbDisabledSystemPolicy      :" (($flags -band $scfBpbDisabledSystemPolicy) -ne 0)
 
                 Write-Host "BpbDisabledSystemPolicy      :" (($flags -band $scfBpbDisabledSystemPolicy) -ne 0)
Zeile 103: Zeile 154:
 
                 Write-Host "HwMode2Present              :" (($flags -band $scfHwMode2Present) -ne 0)
 
                 Write-Host "HwMode2Present              :" (($flags -band $scfHwMode2Present) -ne 0)
 
                 Write-Host "SmepPresent                  :" (($flags -band $scfSmepPresent) -ne 0)
 
                 Write-Host "SmepPresent                  :" (($flags -band $scfSmepPresent) -ne 0)
 +
                Write-Host "SsbdAvailable                :" (($flags -band $scfSsbdAvailable) -ne 0)
 +
                Write-Host "SsbdSupported                :" (($flags -band $scfSsbdSupported) -ne 0)
 +
                Write-Host "SsbdSystemWide              :" (($flags -band $scfSsbdSystemWide) -ne 0)
 +
                Write-Host "SsbdRequired                :" (($flags -band $scfSsbdRequired) -ne 0)
 
             }
 
             }
 
         }
 
         }
  
         Write-Host "Hardware support for branch target injection mitigation is present:"($btiHardwarePresent) -ForegroundColor $(If ($btiHardwarePresent) { [System.ConsoleColor]::Green } Else { [System.ConsoleColor]::Red })
+
         if ($Quiet -ne $true) {
        Write-Host "Windows OS support for branch target injection mitigation is present:"($btiWindowsSupportPresent) -ForegroundColor $(If ($btiWindowsSupportPresent) { [System.ConsoleColor]::Green } Else { [System.ConsoleColor]::Red })
+
            Write-Host "Hardware support for branch target injection mitigation is present:"($btiHardwarePresent)
        Write-Host "Windows OS support for branch target injection mitigation is enabled:"($btiWindowsSupportEnabled) -ForegroundColor $(If ($btiWindowsSupportEnabled) { [System.ConsoleColor]::Green } Else { [System.ConsoleColor]::Red })
+
            Write-Host "Windows OS support for branch target injection mitigation is present:"($btiWindowsSupportPresent)
 +
            Write-Host "Windows OS support for branch target injection mitigation is enabled:"($btiWindowsSupportEnabled)
 
    
 
    
        if ($btiWindowsSupportPresent -eq $true -and $btiWindowsSupportEnabled -eq $false) {
+
            if ($btiWindowsSupportPresent -eq $true -and $btiWindowsSupportEnabled -eq $false) {
            Write-Host -ForegroundColor Red "Windows OS support for branch target injection mitigation is disabled by system policy:"($btiDisabledBySystemPolicy)
+
                Write-Host -ForegroundColor Red "Windows OS support for branch target injection mitigation is disabled by system policy:"($btiDisabledBySystemPolicy)
            Write-Host -ForegroundColor Red "Windows OS support for branch target injection mitigation is disabled by absence of hardware support:"($btiDisabledByNoHardwareSupport)
+
                Write-Host -ForegroundColor Red "Windows OS support for branch target injection mitigation is disabled by absence of hardware support:"($btiDisabledByNoHardwareSupport)
 +
            }
 
         }
 
         }
 
          
 
          
Zeile 124: Zeile 181:
 
         # Query kernel VA shadow information.
 
         # Query kernel VA shadow information.
 
         #
 
         #
 
+
       
         Write-Host
+
         if ($Quiet -ne $true) {
        Write-Host "Speculation control settings for CVE-2017-5754 [rogue data cache load]" -ForegroundColor Cyan
+
            Write-Host
        Write-Host     
+
            Write-Host "Speculation control settings for CVE-2017-5754 [rogue data cache load]" -ForegroundColor Cyan
 +
            Write-Host     
 +
        }
  
 
         $kvaShadowRequired = $true
 
         $kvaShadowRequired = $true
Zeile 133: Zeile 192:
 
         $kvaShadowEnabled = $false
 
         $kvaShadowEnabled = $false
 
         $kvaShadowPcidEnabled = $false
 
         $kvaShadowPcidEnabled = $false
 
        $cpu = Get-WmiObject Win32_Processor
 
 
        if ($cpu.Manufacturer -eq "AuthenticAMD") {
 
            $kvaShadowRequired = $false
 
        }
 
        elseif ($cpu.Manufacturer -eq "GenuineIntel") {
 
            $regex = [regex]'Family (\d+) Model (\d+) Stepping (\d+)'
 
            $result = $regex.Match($cpu.Description)
 
           
 
            if ($result.Success) {
 
                $family = [System.UInt32]$result.Groups[1].Value
 
                $model = [System.UInt32]$result.Groups[2].Value
 
                $stepping = [System.UInt32]$result.Groups[3].Value
 
               
 
                if (($family -eq 0x6) -and
 
                    (($model -eq 0x1c) -or
 
                    ($model -eq 0x26) -or
 
                    ($model -eq 0x27) -or
 
                    ($model -eq 0x36) -or
 
                    ($model -eq 0x35))) {
 
 
                    $kvaShadowRequired = $false
 
                }
 
            }
 
        }
 
        else {
 
            throw ("Unsupported processor manufacturer: {0}" -f $cpu.Manufacturer)
 
        }
 
  
 
         [System.UInt32]$systemInformationClass = 196
 
         [System.UInt32]$systemInformationClass = 196
Zeile 179: Zeile 209:
 
             [System.UInt32]$kvaShadowPcidFlag = 0x04
 
             [System.UInt32]$kvaShadowPcidFlag = 0x04
 
             [System.UInt32]$kvaShadowInvpcidFlag = 0x08
 
             [System.UInt32]$kvaShadowInvpcidFlag = 0x08
 +
            [System.UInt32]$kvaShadowRequiredFlag = 0x10
 +
            [System.UInt32]$kvaShadowRequiredAvailableFlag = 0x20
  
 
             [System.UInt32]$flags = [System.UInt32][System.Runtime.InteropServices.Marshal]::ReadInt32($systemInformationPtr)
 
             [System.UInt32]$flags = [System.UInt32][System.Runtime.InteropServices.Marshal]::ReadInt32($systemInformationPtr)
Zeile 185: Zeile 217:
 
             $kvaShadowEnabled = (($flags -band $kvaShadowEnabledFlag) -ne 0)
 
             $kvaShadowEnabled = (($flags -band $kvaShadowEnabledFlag) -ne 0)
 
             $kvaShadowPcidEnabled = ((($flags -band $kvaShadowPcidFlag) -ne 0) -and (($flags -band $kvaShadowInvpcidFlag) -ne 0))
 
             $kvaShadowPcidEnabled = ((($flags -band $kvaShadowPcidFlag) -ne 0) -and (($flags -band $kvaShadowInvpcidFlag) -ne 0))
 +
           
 +
            if (($flags -band $kvaShadowRequiredAvailableFlag) -ne 0) {
 +
                $kvaShadowRequired = (($flags -band $kvaShadowRequiredFlag) -ne 0)
 +
            }
 +
            else {
  
             if ($PSBoundParameters['Verbose']) {
+
                if ($manufacturer -eq "AuthenticAMD") {
 +
                    $kvaShadowRequired = $false
 +
                }
 +
                elseif ($manufacturer -eq "GenuineIntel") {
 +
                    $regex = [regex]'Family (\d+) Model (\d+) Stepping (\d+)'
 +
                    $result = $regex.Match($cpu.Description)
 +
           
 +
                    if ($result.Success) {
 +
                        $family = [System.UInt32]$result.Groups[1].Value
 +
                        $model = [System.UInt32]$result.Groups[2].Value
 +
                        $stepping = [System.UInt32]$result.Groups[3].Value
 +
               
 +
                        if (($family -eq 0x6) -and
 +
                            (($model -eq 0x1c) -or
 +
                            ($model -eq 0x26) -or
 +
                            ($model -eq 0x27) -or
 +
                            ($model -eq 0x36) -or
 +
                            ($model -eq 0x35))) {
 +
 
 +
                            $kvaShadowRequired = $false
 +
                        }
 +
                    }
 +
                }
 +
                else {
 +
                    throw ("Unsupported processor manufacturer: {0}" -f $manufacturer)
 +
                }
 +
            }
 +
 
 +
             if ($Quiet -ne $true -and $PSBoundParameters['Verbose']) {
 
                 Write-Host "KvaShadowEnabled            :" (($flags -band $kvaShadowEnabledFlag) -ne 0)
 
                 Write-Host "KvaShadowEnabled            :" (($flags -band $kvaShadowEnabledFlag) -ne 0)
 
                 Write-Host "KvaShadowUserGlobal          :" (($flags -band $kvaShadowUserGlobalFlag) -ne 0)
 
                 Write-Host "KvaShadowUserGlobal          :" (($flags -band $kvaShadowUserGlobalFlag) -ne 0)
 
                 Write-Host "KvaShadowPcid                :" (($flags -band $kvaShadowPcidFlag) -ne 0)
 
                 Write-Host "KvaShadowPcid                :" (($flags -band $kvaShadowPcidFlag) -ne 0)
 
                 Write-Host "KvaShadowInvpcid            :" (($flags -band $kvaShadowInvpcidFlag) -ne 0)
 
                 Write-Host "KvaShadowInvpcid            :" (($flags -band $kvaShadowInvpcidFlag) -ne 0)
 +
                Write-Host "KvaShadowRequired            :" $kvaShadowRequired
 +
                Write-Host "KvaShadowRequiredAvailable  :" (($flags -band $kvaShadowRequiredAvailableFlag) -ne 0)
 
             }
 
             }
 
         }
 
         }
 
          
 
          
         Write-Host "Hardware requires kernel VA shadowing:"$kvaShadowRequired
+
         if ($Quiet -ne $true) {
 +
            Write-Host "Hardware requires kernel VA shadowing:"$kvaShadowRequired
  
        if ($kvaShadowRequired) {
+
            if ($kvaShadowRequired) {
  
            Write-Host "Windows OS support for kernel VA shadow is present:"$kvaShadowPresent -ForegroundColor $(If ($kvaShadowPresent) { [System.ConsoleColor]::Green } Else { [System.ConsoleColor]::Red })
+
                Write-Host "Windows OS support for kernel VA shadow is present:"$kvaShadowPresent
            Write-Host "Windows OS support for kernel VA shadow is enabled:"$kvaShadowEnabled -ForegroundColor $(If ($kvaShadowEnabled) { [System.ConsoleColor]::Green } Else { [System.ConsoleColor]::Red })
+
                Write-Host "Windows OS support for kernel VA shadow is enabled:"$kvaShadowEnabled
  
            if ($kvaShadowEnabled) {
+
                if ($kvaShadowEnabled) {
                Write-Host "Windows OS support for PCID performance optimization is enabled: $kvaShadowPcidEnabled [not required for security]" -ForegroundColor $(If ($kvaShadowPcidEnabled) { [System.ConsoleColor]::Green } Else { [System.ConsoleColor]::Blue })
+
                    Write-Host "Windows OS support for PCID performance optimization is enabled: $kvaShadowPcidEnabled [not required for security]"
 +
                }
 
             }
 
             }
 
         }
 
         }
 
 
          
 
          
 
         $object | Add-Member -MemberType NoteProperty -Name KVAShadowRequired -Value $kvaShadowRequired
 
         $object | Add-Member -MemberType NoteProperty -Name KVAShadowRequired -Value $kvaShadowRequired
Zeile 211: Zeile 279:
 
         $object | Add-Member -MemberType NoteProperty -Name KVAShadowWindowsSupportEnabled -Value $kvaShadowEnabled
 
         $object | Add-Member -MemberType NoteProperty -Name KVAShadowWindowsSupportEnabled -Value $kvaShadowEnabled
 
         $object | Add-Member -MemberType NoteProperty -Name KVAShadowPcidEnabled -Value $kvaShadowPcidEnabled
 
         $object | Add-Member -MemberType NoteProperty -Name KVAShadowPcidEnabled -Value $kvaShadowPcidEnabled
 +
 +
        #
 +
        # Speculation Control Settings for CVE-2018-3639 (Speculative Store Bypass)
 +
        #
 +
       
 +
        if ($Quiet -ne $true) {
 +
            Write-Host
 +
            Write-Host "Speculation control settings for CVE-2018-3639 [speculative store bypass]" -ForegroundColor Cyan
 +
            Write-Host   
 +
        }
 +
       
 +
        if ($Quiet -ne $true) {
 +
            if (($ssbdAvailable -eq $true)) {
 +
                Write-Host "Hardware is vulnerable to speculative store bypass:"$ssbdRequired
 +
                if ($ssbdRequired -eq $true) {
 +
                    Write-Host "Hardware support for speculative store bypass mitigation is present:"$ssbdHardwarePresent
 +
                    Write-Host "Windows OS support for speculative store bypass mitigation is present:"$ssbdAvailable
 +
                    Write-Host "Windows OS support for speculative store bypass mitigation is enabled system-wide:"$ssbdSystemWide
 +
                }
 +
            }
 +
            else {
 +
                Write-Host "Windows OS support for speculative store bypass mitigation is present:"$ssbdAvailable
 +
            }
 +
        }
 +
 +
        $object | Add-Member -MemberType NoteProperty -Name SSBDWindowsSupportPresent -Value $ssbdAvailable
 +
        $object | Add-Member -MemberType NoteProperty -Name SSBDHardwareVulnerable -Value $ssbdRequired
 +
        $object | Add-Member -MemberType NoteProperty -Name SSBDHardwarePresent -Value $ssbdHardwarePresent
 +
        $object | Add-Member -MemberType NoteProperty -Name SSBDWindowsSupportEnabledSystemWide -Value $ssbdSystemWide
  
 
         #
 
         #
Zeile 222: Zeile 319:
 
         }
 
         }
  
         if ($btiWindowsSupportPresent -eq $false -or $kvaShadowPresent -eq $false) {
+
         if (($btiWindowsSupportPresent -eq $false) -or  
 +
            ($kvaShadowPresent -eq $false) -or
 +
            ($ssbdAvailable -eq $false)) {
 
             $actions += "Install the latest available updates for Windows with support for speculation control mitigations."
 
             $actions += "Install the latest available updates for Windows with support for speculation control mitigations."
 
         }
 
         }
Zeile 247: Zeile 346:
 
         }
 
         }
  
         if ($actions.Length -gt 0) {
+
         if ($Quiet -ne $true -and $actions.Length -gt 0) {
  
 
             Write-Host
 
             Write-Host
Zeile 257: Zeile 356:
 
             }
 
             }
 
         }
 
         }
 
  
 
         return $object
 
         return $object
Zeile 280: Zeile 378:
  
  
'''Source:'''
+
'''More Information:'''
 +
*https://spectreattack.com
 +
*https://support.microsoft.com/de-ch/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell
 
*https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
 
*https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
 
*https://www.powershellgallery.com/packages/SpeculationControl/1.0.2
 
*https://www.powershellgallery.com/packages/SpeculationControl/1.0.2
Zeile 289: Zeile 389:
  
  
 
+
[[Kategorie:Allgemein]]
 
[[Kategorie:PowerShell]]
 
[[Kategorie:PowerShell]]

Aktuelle Version vom 25. Juli 2018, 10:32 Uhr

Information

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.

Meltdown

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.

Spectre

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.


BTI is Branch Target Injection as described in CVE-2017-5715[1] alias Spectre[2].
KVA checks OS mitigation against CVE-2017-5754[3] alias Meltdown[4]



PowerShell Check Function (Version 1.0.8)

Information

BTIHardwarePresent is true if the Hardware supports a mitigation. Check for BIOS/firmware updates provided by your device OEM.
BTIWindowsSupportPresent is true if the required Windows security update is installed.
BTIWindowsSupportEnabled is true the Branch Target Injection mitigation is effective.


function Get-SpeculationControlSettings {
  <#
 
  .SYNOPSIS
  This function queries the speculation control settings for the system.
 
  .DESCRIPTION
  This function queries the speculation control settings for the system.
 
  .PARAMETER Quiet
  This parameter suppresses host output that is displayed by default.
 
  #>
 
  [CmdletBinding()]
  param (
    [switch]$Quiet
  )
 
  process {
 
    $NtQSIDefinition = @'
    [DllImport("ntdll.dll")]
    public static extern int NtQuerySystemInformation(uint systemInformationClass, IntPtr systemInformation, uint systemInformationLength, IntPtr returnLength);
'@
 
    $ntdll = Add-Type -MemberDefinition $NtQSIDefinition -Name 'ntdll' -Namespace 'Win32' -PassThru
 
 
    [System.IntPtr]$systemInformationPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(4)
    [System.IntPtr]$returnLengthPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(4)
 
    $object = New-Object -TypeName PSObject
 
    try {
 
        $cpu = Get-WmiObject Win32_Processor
 
        if ($cpu -is [array]) {
            $cpu = $cpu[0]
        }
 
        $manufacturer = $cpu.Manufacturer
 
        #
        # Query branch target injection information.
        #
 
        if ($Quiet -ne $true) {
 
            Write-Host "Speculation control settings for CVE-2017-5715 [branch target injection]" -ForegroundColor Cyan
            Write-Host "For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629" -ForegroundColor Cyan
 
            if ($manufacturer -eq "AuthenticAMD") {
                Write-Host "AMD CPU detected: mitigations for branch target injection on AMD CPUs have additional registry settings for this mitigation, please refer to FAQ #15 at https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002" -ForegroundColor Cyan
            }
 
            Write-Host
        }
 
        $btiHardwarePresent = $false
        $btiWindowsSupportPresent = $false
        $btiWindowsSupportEnabled = $false
        $btiDisabledBySystemPolicy = $false
        $btiDisabledByNoHardwareSupport = $false
 
        $ssbdAvailable = $false
        $ssbdHardwarePresent = $false
        $ssbdSystemWide = $false
        $ssbdRequired = $null
 
        [System.UInt32]$systemInformationClass = 201
        [System.UInt32]$systemInformationLength = 4
 
        $retval = $ntdll::NtQuerySystemInformation($systemInformationClass, $systemInformationPtr, $systemInformationLength, $returnLengthPtr)
 
        if ($retval -eq 0xc0000003 -or $retval -eq 0xc0000002) {
            # fallthrough
        }
        elseif ($retval -ne 0) {
            throw (("Querying branch target injection information failed with error {0:X8}" -f $retval))
        }
        else {
 
            [System.UInt32]$scfBpbEnabled = 0x01
            [System.UInt32]$scfBpbDisabledSystemPolicy = 0x02
            [System.UInt32]$scfBpbDisabledNoHardwareSupport = 0x04
            [System.UInt32]$scfHwReg1Enumerated = 0x08
            [System.UInt32]$scfHwReg2Enumerated = 0x10
            [System.UInt32]$scfHwMode1Present = 0x20
            [System.UInt32]$scfHwMode2Present = 0x40
            [System.UInt32]$scfSmepPresent = 0x80
 
            [System.UInt32]$scfSsbdAvailable = 0x100
            [System.UInt32]$scfSsbdSupported = 0x200
            [System.UInt32]$scfSsbdSystemWide = 0x400
            [System.UInt32]$scfSsbdRequired = 0x1000
 
            [System.UInt32]$flags = [System.UInt32][System.Runtime.InteropServices.Marshal]::ReadInt32($systemInformationPtr)
 
            $btiHardwarePresent = ((($flags -band $scfHwReg1Enumerated) -ne 0) -or (($flags -band $scfHwReg2Enumerated)))
            $btiWindowsSupportPresent = $true
            $btiWindowsSupportEnabled = (($flags -band $scfBpbEnabled) -ne 0)
 
            if ($btiWindowsSupportEnabled -eq $false) {
                $btiDisabledBySystemPolicy = (($flags -band $scfBpbDisabledSystemPolicy) -ne 0)
                $btiDisabledByNoHardwareSupport = (($flags -band $scfBpbDisabledNoHardwareSupport) -ne 0)
            }
 
            $ssbdAvailable = (($flags -band $scfSsbdAvailable) -ne 0)
 
            if ($ssbdAvailable -eq $true) {
                $ssbdHardwarePresent = (($flags -band $scfSsbdSupported) -ne 0)
                $ssbdSystemWide = (($flags -band $scfSsbdSystemWide) -ne 0)
                $ssbdRequired = (($flags -band $scfSsbdRequired) -ne 0)
            }
 
            if ($Quiet -ne $true -and $PSBoundParameters['Verbose']) {
                Write-Host "BpbEnabled                   :" (($flags -band $scfBpbEnabled) -ne 0)
                Write-Host "BpbDisabledSystemPolicy      :" (($flags -band $scfBpbDisabledSystemPolicy) -ne 0)
                Write-Host "BpbDisabledNoHardwareSupport :" (($flags -band $scfBpbDisabledNoHardwareSupport) -ne 0)
                Write-Host "HwReg1Enumerated             :" (($flags -band $scfHwReg1Enumerated) -ne 0)
                Write-Host "HwReg2Enumerated             :" (($flags -band $scfHwReg2Enumerated) -ne 0)
                Write-Host "HwMode1Present               :" (($flags -band $scfHwMode1Present) -ne 0)
                Write-Host "HwMode2Present               :" (($flags -band $scfHwMode2Present) -ne 0)
                Write-Host "SmepPresent                  :" (($flags -band $scfSmepPresent) -ne 0)
                Write-Host "SsbdAvailable                :" (($flags -band $scfSsbdAvailable) -ne 0)
                Write-Host "SsbdSupported                :" (($flags -band $scfSsbdSupported) -ne 0)
                Write-Host "SsbdSystemWide               :" (($flags -band $scfSsbdSystemWide) -ne 0)
                Write-Host "SsbdRequired                 :" (($flags -band $scfSsbdRequired) -ne 0)
            }
        }
 
        if ($Quiet -ne $true) {
            Write-Host "Hardware support for branch target injection mitigation is present:"($btiHardwarePresent)
            Write-Host "Windows OS support for branch target injection mitigation is present:"($btiWindowsSupportPresent)
            Write-Host "Windows OS support for branch target injection mitigation is enabled:"($btiWindowsSupportEnabled)
 
            if ($btiWindowsSupportPresent -eq $true -and $btiWindowsSupportEnabled -eq $false) {
                Write-Host -ForegroundColor Red "Windows OS support for branch target injection mitigation is disabled by system policy:"($btiDisabledBySystemPolicy)
                Write-Host -ForegroundColor Red "Windows OS support for branch target injection mitigation is disabled by absence of hardware support:"($btiDisabledByNoHardwareSupport)
            }
        }
 
        $object | Add-Member -MemberType NoteProperty -Name BTIHardwarePresent -Value $btiHardwarePresent
        $object | Add-Member -MemberType NoteProperty -Name BTIWindowsSupportPresent -Value $btiWindowsSupportPresent
        $object | Add-Member -MemberType NoteProperty -Name BTIWindowsSupportEnabled -Value $btiWindowsSupportEnabled
        $object | Add-Member -MemberType NoteProperty -Name BTIDisabledBySystemPolicy -Value $btiDisabledBySystemPolicy
        $object | Add-Member -MemberType NoteProperty -Name BTIDisabledByNoHardwareSupport -Value $btiDisabledByNoHardwareSupport
 
        #
        # Query kernel VA shadow information.
        #
 
        if ($Quiet -ne $true) {
            Write-Host
            Write-Host "Speculation control settings for CVE-2017-5754 [rogue data cache load]" -ForegroundColor Cyan
            Write-Host    
        }
 
        $kvaShadowRequired = $true
        $kvaShadowPresent = $false
        $kvaShadowEnabled = $false
        $kvaShadowPcidEnabled = $false
 
        [System.UInt32]$systemInformationClass = 196
        [System.UInt32]$systemInformationLength = 4
 
        $retval = $ntdll::NtQuerySystemInformation($systemInformationClass, $systemInformationPtr, $systemInformationLength, $returnLengthPtr)
 
        if ($retval -eq 0xc0000003 -or $retval -eq 0xc0000002) {
        }
        elseif ($retval -ne 0) {
            throw (("Querying kernel VA shadow information failed with error {0:X8}" -f $retval))
        }
        else {
 
            [System.UInt32]$kvaShadowEnabledFlag = 0x01
            [System.UInt32]$kvaShadowUserGlobalFlag = 0x02
            [System.UInt32]$kvaShadowPcidFlag = 0x04
            [System.UInt32]$kvaShadowInvpcidFlag = 0x08
            [System.UInt32]$kvaShadowRequiredFlag = 0x10
            [System.UInt32]$kvaShadowRequiredAvailableFlag = 0x20
 
            [System.UInt32]$flags = [System.UInt32][System.Runtime.InteropServices.Marshal]::ReadInt32($systemInformationPtr)
 
            $kvaShadowPresent = $true
            $kvaShadowEnabled = (($flags -band $kvaShadowEnabledFlag) -ne 0)
            $kvaShadowPcidEnabled = ((($flags -band $kvaShadowPcidFlag) -ne 0) -and (($flags -band $kvaShadowInvpcidFlag) -ne 0))
 
            if (($flags -band $kvaShadowRequiredAvailableFlag) -ne 0) {
                $kvaShadowRequired = (($flags -band $kvaShadowRequiredFlag) -ne 0)
            }
            else {
 
                if ($manufacturer -eq "AuthenticAMD") {
                    $kvaShadowRequired = $false
                }
                elseif ($manufacturer -eq "GenuineIntel") {
                    $regex = [regex]'Family (\d+) Model (\d+) Stepping (\d+)'
                    $result = $regex.Match($cpu.Description)
 
                    if ($result.Success) {
                        $family = [System.UInt32]$result.Groups[1].Value
                        $model = [System.UInt32]$result.Groups[2].Value
                        $stepping = [System.UInt32]$result.Groups[3].Value
 
                        if (($family -eq 0x6) -and 
                            (($model -eq 0x1c) -or
                             ($model -eq 0x26) -or
                             ($model -eq 0x27) -or
                             ($model -eq 0x36) -or
                             ($model -eq 0x35))) {
 
                            $kvaShadowRequired = $false
                        }
                    }
                }
                else {
                    throw ("Unsupported processor manufacturer: {0}" -f $manufacturer)
                }
            }
 
            if ($Quiet -ne $true -and $PSBoundParameters['Verbose']) {
                Write-Host "KvaShadowEnabled             :" (($flags -band $kvaShadowEnabledFlag) -ne 0)
                Write-Host "KvaShadowUserGlobal          :" (($flags -band $kvaShadowUserGlobalFlag) -ne 0)
                Write-Host "KvaShadowPcid                :" (($flags -band $kvaShadowPcidFlag) -ne 0)
                Write-Host "KvaShadowInvpcid             :" (($flags -band $kvaShadowInvpcidFlag) -ne 0)
                Write-Host "KvaShadowRequired            :" $kvaShadowRequired
                Write-Host "KvaShadowRequiredAvailable   :" (($flags -band $kvaShadowRequiredAvailableFlag) -ne 0)
            }
        }
 
        if ($Quiet -ne $true) {
            Write-Host "Hardware requires kernel VA shadowing:"$kvaShadowRequired
 
            if ($kvaShadowRequired) {
 
                Write-Host "Windows OS support for kernel VA shadow is present:"$kvaShadowPresent
                Write-Host "Windows OS support for kernel VA shadow is enabled:"$kvaShadowEnabled
 
                if ($kvaShadowEnabled) {
                    Write-Host "Windows OS support for PCID performance optimization is enabled: $kvaShadowPcidEnabled [not required for security]"
                }
            }
        }
 
        $object | Add-Member -MemberType NoteProperty -Name KVAShadowRequired -Value $kvaShadowRequired
        $object | Add-Member -MemberType NoteProperty -Name KVAShadowWindowsSupportPresent -Value $kvaShadowPresent
        $object | Add-Member -MemberType NoteProperty -Name KVAShadowWindowsSupportEnabled -Value $kvaShadowEnabled
        $object | Add-Member -MemberType NoteProperty -Name KVAShadowPcidEnabled -Value $kvaShadowPcidEnabled
 
        #
        # Speculation Control Settings for CVE-2018-3639 (Speculative Store Bypass)
        #
 
        if ($Quiet -ne $true) {
            Write-Host
            Write-Host "Speculation control settings for CVE-2018-3639 [speculative store bypass]" -ForegroundColor Cyan
            Write-Host    
        }
 
        if ($Quiet -ne $true) {
            if (($ssbdAvailable -eq $true)) {
                Write-Host "Hardware is vulnerable to speculative store bypass:"$ssbdRequired
                if ($ssbdRequired -eq $true) {
                    Write-Host "Hardware support for speculative store bypass mitigation is present:"$ssbdHardwarePresent
                    Write-Host "Windows OS support for speculative store bypass mitigation is present:"$ssbdAvailable
                    Write-Host "Windows OS support for speculative store bypass mitigation is enabled system-wide:"$ssbdSystemWide
                }
            }
            else {
                Write-Host "Windows OS support for speculative store bypass mitigation is present:"$ssbdAvailable
            }
        }
 
        $object | Add-Member -MemberType NoteProperty -Name SSBDWindowsSupportPresent -Value $ssbdAvailable
        $object | Add-Member -MemberType NoteProperty -Name SSBDHardwareVulnerable -Value $ssbdRequired
        $object | Add-Member -MemberType NoteProperty -Name SSBDHardwarePresent -Value $ssbdHardwarePresent
        $object | Add-Member -MemberType NoteProperty -Name SSBDWindowsSupportEnabledSystemWide -Value $ssbdSystemWide
 
        #
        # Provide guidance as appropriate.
        #
 
        $actions = @()
 
        if ($btiHardwarePresent -eq $false) {
            $actions += "Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation."
        }
 
        if (($btiWindowsSupportPresent -eq $false) -or 
            ($kvaShadowPresent -eq $false) -or
            ($ssbdAvailable -eq $false)) {
            $actions += "Install the latest available updates for Windows with support for speculation control mitigations."
        }
 
        if (($btiHardwarePresent -eq $true -and $btiWindowsSupportEnabled -eq $false) -or ($kvaShadowRequired -eq $true -and $kvaShadowEnabled -eq $false)) {
            $guidanceUri = ""
            $guidanceType = ""
 
 
            $os = Get-WmiObject Win32_OperatingSystem
 
            if ($os.ProductType -eq 1) {
                # Workstation
                $guidanceUri = "https://support.microsoft.com/help/4073119"
                $guidanceType = "Client"
            }
            else {
                # Server/DC
                $guidanceUri = "https://support.microsoft.com/help/4072698"
                $guidanceType = "Server"
            }
 
            $actions += "Follow the guidance for enabling Windows $guidanceType support for speculation control mitigations described in $guidanceUri"
        }
 
        if ($Quiet -ne $true -and $actions.Length -gt 0) {
 
            Write-Host
            Write-Host "Suggested actions" -ForegroundColor Cyan
            Write-Host 
 
            foreach ($action in $actions) {
                Write-Host " *" $action
            }
        }
 
        return $object
 
    }
    finally
    {
        if ($systemInformationPtr -ne [System.IntPtr]::Zero) {
            [System.Runtime.InteropServices.Marshal]::FreeHGlobal($systemInformationPtr)
        }
 
        if ($returnLengthPtr -ne [System.IntPtr]::Zero) {
            [System.Runtime.InteropServices.Marshal]::FreeHGlobal($returnLengthPtr)
        }
    }    
  }
}



More Information: