Security-Bug: Meltdown and Spectre
Inhaltsverzeichnis
Information
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.
Meltdown
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.
Spectre
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.
BTI is Branch Target Injection as described in CVE-2017-5715[1] alias Spectre[2].
KVA checks OS mitigation against CVE-2017-5754[3] alias Meltdown[4]
PowerShell Check Function (Version 1.0.8)
Information
BTIHardwarePresent is true if the Hardware supports a mitigation. Check for BIOS/firmware updates provided by your device OEM. BTIWindowsSupportPresent is true if the required Windows security update is installed. BTIWindowsSupportEnabled is true the Branch Target Injection mitigation is effective.
function Get-SpeculationControlSettings { <# .SYNOPSIS This function queries the speculation control settings for the system. .DESCRIPTION This function queries the speculation control settings for the system. .PARAMETER Quiet This parameter suppresses host output that is displayed by default. #> [CmdletBinding()] param ( [switch]$Quiet ) process { $NtQSIDefinition = @' [DllImport("ntdll.dll")] public static extern int NtQuerySystemInformation(uint systemInformationClass, IntPtr systemInformation, uint systemInformationLength, IntPtr returnLength); '@ $ntdll = Add-Type -MemberDefinition $NtQSIDefinition -Name 'ntdll' -Namespace 'Win32' -PassThru [System.IntPtr]$systemInformationPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(4) [System.IntPtr]$returnLengthPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(4) $object = New-Object -TypeName PSObject try { $cpu = Get-WmiObject Win32_Processor if ($cpu -is [array]) { $cpu = $cpu[0] } $manufacturer = $cpu.Manufacturer # # Query branch target injection information. # if ($Quiet -ne $true) { Write-Host "Speculation control settings for CVE-2017-5715 [branch target injection]" -ForegroundColor Cyan Write-Host "For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629" -ForegroundColor Cyan if ($manufacturer -eq "AuthenticAMD") { Write-Host "AMD CPU detected: mitigations for branch target injection on AMD CPUs have additional registry settings for this mitigation, please refer to FAQ #15 at https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002" -ForegroundColor Cyan } Write-Host } $btiHardwarePresent = $false $btiWindowsSupportPresent = $false $btiWindowsSupportEnabled = $false $btiDisabledBySystemPolicy = $false $btiDisabledByNoHardwareSupport = $false $ssbdAvailable = $false $ssbdHardwarePresent = $false $ssbdSystemWide = $false $ssbdRequired = $null [System.UInt32]$systemInformationClass = 201 [System.UInt32]$systemInformationLength = 4 $retval = $ntdll::NtQuerySystemInformation($systemInformationClass, $systemInformationPtr, $systemInformationLength, $returnLengthPtr) if ($retval -eq 0xc0000003 -or $retval -eq 0xc0000002) { # fallthrough } elseif ($retval -ne 0) { throw (("Querying branch target injection information failed with error {0:X8}" -f $retval)) } else { [System.UInt32]$scfBpbEnabled = 0x01 [System.UInt32]$scfBpbDisabledSystemPolicy = 0x02 [System.UInt32]$scfBpbDisabledNoHardwareSupport = 0x04 [System.UInt32]$scfHwReg1Enumerated = 0x08 [System.UInt32]$scfHwReg2Enumerated = 0x10 [System.UInt32]$scfHwMode1Present = 0x20 [System.UInt32]$scfHwMode2Present = 0x40 [System.UInt32]$scfSmepPresent = 0x80 [System.UInt32]$scfSsbdAvailable = 0x100 [System.UInt32]$scfSsbdSupported = 0x200 [System.UInt32]$scfSsbdSystemWide = 0x400 [System.UInt32]$scfSsbdRequired = 0x1000 [System.UInt32]$flags = [System.UInt32][System.Runtime.InteropServices.Marshal]::ReadInt32($systemInformationPtr) $btiHardwarePresent = ((($flags -band $scfHwReg1Enumerated) -ne 0) -or (($flags -band $scfHwReg2Enumerated))) $btiWindowsSupportPresent = $true $btiWindowsSupportEnabled = (($flags -band $scfBpbEnabled) -ne 0) if ($btiWindowsSupportEnabled -eq $false) { $btiDisabledBySystemPolicy = (($flags -band $scfBpbDisabledSystemPolicy) -ne 0) $btiDisabledByNoHardwareSupport = (($flags -band $scfBpbDisabledNoHardwareSupport) -ne 0) } $ssbdAvailable = (($flags -band $scfSsbdAvailable) -ne 0) if ($ssbdAvailable -eq $true) { $ssbdHardwarePresent = (($flags -band $scfSsbdSupported) -ne 0) $ssbdSystemWide = (($flags -band $scfSsbdSystemWide) -ne 0) $ssbdRequired = (($flags -band $scfSsbdRequired) -ne 0) } if ($Quiet -ne $true -and $PSBoundParameters['Verbose']) { Write-Host "BpbEnabled :" (($flags -band $scfBpbEnabled) -ne 0) Write-Host "BpbDisabledSystemPolicy :" (($flags -band $scfBpbDisabledSystemPolicy) -ne 0) Write-Host "BpbDisabledNoHardwareSupport :" (($flags -band $scfBpbDisabledNoHardwareSupport) -ne 0) Write-Host "HwReg1Enumerated :" (($flags -band $scfHwReg1Enumerated) -ne 0) Write-Host "HwReg2Enumerated :" (($flags -band $scfHwReg2Enumerated) -ne 0) Write-Host "HwMode1Present :" (($flags -band $scfHwMode1Present) -ne 0) Write-Host "HwMode2Present :" (($flags -band $scfHwMode2Present) -ne 0) Write-Host "SmepPresent :" (($flags -band $scfSmepPresent) -ne 0) Write-Host "SsbdAvailable :" (($flags -band $scfSsbdAvailable) -ne 0) Write-Host "SsbdSupported :" (($flags -band $scfSsbdSupported) -ne 0) Write-Host "SsbdSystemWide :" (($flags -band $scfSsbdSystemWide) -ne 0) Write-Host "SsbdRequired :" (($flags -band $scfSsbdRequired) -ne 0) } } if ($Quiet -ne $true) { Write-Host "Hardware support for branch target injection mitigation is present:"($btiHardwarePresent) Write-Host "Windows OS support for branch target injection mitigation is present:"($btiWindowsSupportPresent) Write-Host "Windows OS support for branch target injection mitigation is enabled:"($btiWindowsSupportEnabled) if ($btiWindowsSupportPresent -eq $true -and $btiWindowsSupportEnabled -eq $false) { Write-Host -ForegroundColor Red "Windows OS support for branch target injection mitigation is disabled by system policy:"($btiDisabledBySystemPolicy) Write-Host -ForegroundColor Red "Windows OS support for branch target injection mitigation is disabled by absence of hardware support:"($btiDisabledByNoHardwareSupport) } } $object | Add-Member -MemberType NoteProperty -Name BTIHardwarePresent -Value $btiHardwarePresent $object | Add-Member -MemberType NoteProperty -Name BTIWindowsSupportPresent -Value $btiWindowsSupportPresent $object | Add-Member -MemberType NoteProperty -Name BTIWindowsSupportEnabled -Value $btiWindowsSupportEnabled $object | Add-Member -MemberType NoteProperty -Name BTIDisabledBySystemPolicy -Value $btiDisabledBySystemPolicy $object | Add-Member -MemberType NoteProperty -Name BTIDisabledByNoHardwareSupport -Value $btiDisabledByNoHardwareSupport # # Query kernel VA shadow information. # if ($Quiet -ne $true) { Write-Host Write-Host "Speculation control settings for CVE-2017-5754 [rogue data cache load]" -ForegroundColor Cyan Write-Host } $kvaShadowRequired = $true $kvaShadowPresent = $false $kvaShadowEnabled = $false $kvaShadowPcidEnabled = $false [System.UInt32]$systemInformationClass = 196 [System.UInt32]$systemInformationLength = 4 $retval = $ntdll::NtQuerySystemInformation($systemInformationClass, $systemInformationPtr, $systemInformationLength, $returnLengthPtr) if ($retval -eq 0xc0000003 -or $retval -eq 0xc0000002) { } elseif ($retval -ne 0) { throw (("Querying kernel VA shadow information failed with error {0:X8}" -f $retval)) } else { [System.UInt32]$kvaShadowEnabledFlag = 0x01 [System.UInt32]$kvaShadowUserGlobalFlag = 0x02 [System.UInt32]$kvaShadowPcidFlag = 0x04 [System.UInt32]$kvaShadowInvpcidFlag = 0x08 [System.UInt32]$kvaShadowRequiredFlag = 0x10 [System.UInt32]$kvaShadowRequiredAvailableFlag = 0x20 [System.UInt32]$flags = [System.UInt32][System.Runtime.InteropServices.Marshal]::ReadInt32($systemInformationPtr) $kvaShadowPresent = $true $kvaShadowEnabled = (($flags -band $kvaShadowEnabledFlag) -ne 0) $kvaShadowPcidEnabled = ((($flags -band $kvaShadowPcidFlag) -ne 0) -and (($flags -band $kvaShadowInvpcidFlag) -ne 0)) if (($flags -band $kvaShadowRequiredAvailableFlag) -ne 0) { $kvaShadowRequired = (($flags -band $kvaShadowRequiredFlag) -ne 0) } else { if ($manufacturer -eq "AuthenticAMD") { $kvaShadowRequired = $false } elseif ($manufacturer -eq "GenuineIntel") { $regex = [regex]'Family (\d+) Model (\d+) Stepping (\d+)' $result = $regex.Match($cpu.Description) if ($result.Success) { $family = [System.UInt32]$result.Groups[1].Value $model = [System.UInt32]$result.Groups[2].Value $stepping = [System.UInt32]$result.Groups[3].Value if (($family -eq 0x6) -and (($model -eq 0x1c) -or ($model -eq 0x26) -or ($model -eq 0x27) -or ($model -eq 0x36) -or ($model -eq 0x35))) { $kvaShadowRequired = $false } } } else { throw ("Unsupported processor manufacturer: {0}" -f $manufacturer) } } if ($Quiet -ne $true -and $PSBoundParameters['Verbose']) { Write-Host "KvaShadowEnabled :" (($flags -band $kvaShadowEnabledFlag) -ne 0) Write-Host "KvaShadowUserGlobal :" (($flags -band $kvaShadowUserGlobalFlag) -ne 0) Write-Host "KvaShadowPcid :" (($flags -band $kvaShadowPcidFlag) -ne 0) Write-Host "KvaShadowInvpcid :" (($flags -band $kvaShadowInvpcidFlag) -ne 0) Write-Host "KvaShadowRequired :" $kvaShadowRequired Write-Host "KvaShadowRequiredAvailable :" (($flags -band $kvaShadowRequiredAvailableFlag) -ne 0) } } if ($Quiet -ne $true) { Write-Host "Hardware requires kernel VA shadowing:"$kvaShadowRequired if ($kvaShadowRequired) { Write-Host "Windows OS support for kernel VA shadow is present:"$kvaShadowPresent Write-Host "Windows OS support for kernel VA shadow is enabled:"$kvaShadowEnabled if ($kvaShadowEnabled) { Write-Host "Windows OS support for PCID performance optimization is enabled: $kvaShadowPcidEnabled [not required for security]" } } } $object | Add-Member -MemberType NoteProperty -Name KVAShadowRequired -Value $kvaShadowRequired $object | Add-Member -MemberType NoteProperty -Name KVAShadowWindowsSupportPresent -Value $kvaShadowPresent $object | Add-Member -MemberType NoteProperty -Name KVAShadowWindowsSupportEnabled -Value $kvaShadowEnabled $object | Add-Member -MemberType NoteProperty -Name KVAShadowPcidEnabled -Value $kvaShadowPcidEnabled # # Speculation Control Settings for CVE-2018-3639 (Speculative Store Bypass) # if ($Quiet -ne $true) { Write-Host Write-Host "Speculation control settings for CVE-2018-3639 [speculative store bypass]" -ForegroundColor Cyan Write-Host } if ($Quiet -ne $true) { if (($ssbdAvailable -eq $true)) { Write-Host "Hardware is vulnerable to speculative store bypass:"$ssbdRequired if ($ssbdRequired -eq $true) { Write-Host "Hardware support for speculative store bypass mitigation is present:"$ssbdHardwarePresent Write-Host "Windows OS support for speculative store bypass mitigation is present:"$ssbdAvailable Write-Host "Windows OS support for speculative store bypass mitigation is enabled system-wide:"$ssbdSystemWide } } else { Write-Host "Windows OS support for speculative store bypass mitigation is present:"$ssbdAvailable } } $object | Add-Member -MemberType NoteProperty -Name SSBDWindowsSupportPresent -Value $ssbdAvailable $object | Add-Member -MemberType NoteProperty -Name SSBDHardwareVulnerable -Value $ssbdRequired $object | Add-Member -MemberType NoteProperty -Name SSBDHardwarePresent -Value $ssbdHardwarePresent $object | Add-Member -MemberType NoteProperty -Name SSBDWindowsSupportEnabledSystemWide -Value $ssbdSystemWide # # Provide guidance as appropriate. # $actions = @() if ($btiHardwarePresent -eq $false) { $actions += "Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation." } if (($btiWindowsSupportPresent -eq $false) -or ($kvaShadowPresent -eq $false) -or ($ssbdAvailable -eq $false)) { $actions += "Install the latest available updates for Windows with support for speculation control mitigations." } if (($btiHardwarePresent -eq $true -and $btiWindowsSupportEnabled -eq $false) -or ($kvaShadowRequired -eq $true -and $kvaShadowEnabled -eq $false)) { $guidanceUri = "" $guidanceType = "" $os = Get-WmiObject Win32_OperatingSystem if ($os.ProductType -eq 1) { # Workstation $guidanceUri = "https://support.microsoft.com/help/4073119" $guidanceType = "Client" } else { # Server/DC $guidanceUri = "https://support.microsoft.com/help/4072698" $guidanceType = "Server" } $actions += "Follow the guidance for enabling Windows $guidanceType support for speculation control mitigations described in $guidanceUri" } if ($Quiet -ne $true -and $actions.Length -gt 0) { Write-Host Write-Host "Suggested actions" -ForegroundColor Cyan Write-Host foreach ($action in $actions) { Write-Host " *" $action } } return $object } finally { if ($systemInformationPtr -ne [System.IntPtr]::Zero) { [System.Runtime.InteropServices.Marshal]::FreeHGlobal($systemInformationPtr) } if ($returnLengthPtr -ne [System.IntPtr]::Zero) { [System.Runtime.InteropServices.Marshal]::FreeHGlobal($returnLengthPtr) } } } }
More Information:
- https://spectreattack.com
- https://support.microsoft.com/de-ch/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell
- https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
- https://www.powershellgallery.com/packages/SpeculationControl/1.0.2
- https://github.com/vrdse/MeltdownSpectreReport