How to use vScope to find Spectre and Meltdown vulnerabilities

Anton Petersson

Helping you turn insights into actions with vScope

NOTICE – You will need a vScope 3 license in order to follow this tutorial

The Spectre/Meltdown vulnerabilities could allow unauthorized actors to steal sensitive information such as passwords, emails and credit card information from basically any computer/server. In these cases there is no need to investigate any further whether you are affected or not, you most probaby are! Without going too technical, the Spectre/Meltdown bugs affect almost any machine running a modern CPU which means that IT organizations worldwide must take immediate action to secure their environment.

A short background – How can vScope help?

With the help of vScope, organizations will always have a reliant and accurate inventory of their IT at hands. This is relevant in many cases, but especially when it comes to quickly investigating configurations across the environment, such as finding the Spectre/Meltdown vulnerabilities.

In this post you will find easy help with investigating the impact, progress and resolution of the Spectre/Meltdown vulnerabilities using vScope. This requires no prerequisites, scripting skills or any form of extensive knowledge within security best practice. Notice that we will focus on Windows investigation in this post, but for the record vScope also supports Linux and ESXi investigations (See under Tracker heading).

Shortcut – Skip the tutorial, show me the fastest way

What do we need to know to get started?
According to Microsoft Support, there are three essential things to look out for:
1. What machines have not been updated with the critical Windows update?
2. What machines do not have the fix activated?
3. What machines are missing critical firmware update?

1. Which servers have not been patched with the critical security update?
When the information about Spectre/Meltdown got public, Google, Microsoft, HP, Apple and other companies released patches in order to mitigate the flaws. So, the most obvious thing to start looking for is whether or not our machines have been updated or not? From that list, apply the necessary Windows updates.

However, patching is not enough. We also need to investigate:

2. What machines do not have fix activated?
There is a registry key value (True/False) stating whether or not the security update has been fully installed. If it is not enabled, we need to make necessary configuration changes to enable full protection!

And finally:

3. What machines are missing critical firmware update?
It is important to ensure that a manufacturer’s update (BIOS) has been installed on the machine. This information is not available in vScope right now, but we will add this information in just a few days (your vScope will automatically be updated, unless that option has been turned off).

Let’s start with investigating the number 1 question:

1. Which servers have not been patched with the critical security update?

The Microsoft Support website presents the following table:

Operating system version Update KB
Windows Server, version 1709 (Server Core Installation) 4056892
Windows Server 2016 4056890
Windows Server 2012 R2 4056898
Windows Server 2012 Not available
Windows Server 2008 R2 4056897
Windows Server 2008 Not available

NOTICE New patches will supersede the listed patches above, meaning that newer patches will replace the ones listed here one from time to time as Microsoft releases updates.

Extract all KB:s applicable for your environment from the table. In this guide we are using all of them:

4056897, 4056898, 4056890, 4056892

Build a report about all machines missing these patches. Start by doing the following:

1. New Table -> All machines

Add filter -> Installed Windows Update ->

Match*: KB4056897
Match*: KB4056898
Match*: KB4056890
Match*: KB4056892

Notice that a double click in the filter box makes it a “not”.

The resulting table lists all machines that do NOT have the critical patch installed. That’s basically it for the first step. To make the report even more relevant we can add some columns about OS, OS description and IP.

From an over viewing perspective, this list shows us what servers need Windows updating to solve this specific situation. A good start!

Let’s save it…

2. Has the fix been activated?

There is a certain tag in vScope to help investigate this registry key. That tag is named “OS speculative execution mitigations enabled”. So for step 2, start by clearing the filter from KBs…

…and instead filter on:
OS speculative execution mitigations enabled = false

The result shows every machine that is not fully protected due to missing registry key. A very serious misconfiguration, so we need to take some actions here. Start by saving the table.

Share the table with anyone interested (notice that these individuals need to have a vScope account in order to access the report).

And that was really the hardest part of this tutorial. The reports we’ve built in this tutorial will automatically be updated whenever a discovery is finished. This makes these reports perfect, not only for the identification process, but also for follow ups of how the Spectre/Meltdown vulnerabilities are mitigated by your organization!

NOTICE For a Linux user you might want to look into the tags OS kernel release or CPU_bugs but I will leave that for practice in this text.

Thanks, but can we do it faster?
Actually, yes! Even though this audit was done in just a few minutes, vScope will automatically help you with this issue by highlighting machines in so called Tracker cases. Let’s look into Tracker and see how that works.

The most convenient way – Using Tracker

The most convenient way to investigate the impact of the Spectre/Meltdown vulnerabilities is to use Tracker. Tracker is a bundled smart analysis of your IT-infrastructure and is designed to highlight relevant information for professionals, for better and more secure IT.

For Spectre/Meltdown there are prebuilt analyses that will help you faster find out if you are exposed to the vulnerabilities. Go into Tracker and select the Security interest:

Search for “Spectre” or “Meltdown”

The resulting list shows you the cases where found machines have been found to be exposed to either the Spectre or Meltdown vulnerability. Notice that Tracker contains cases for both Windows and Linux, as well as ESXi. Double clicking a case will take you to the details page, where you can find out more information.

Easy, right?

Ending notes

That’s it for now. You are left with one final task: All major microprocessor manufacturers have already released, or are about to release fixes for Spectre/Meltdown. But do you know if any server or laptop in your environment is from a minor manufacturer? Have you checked if they have released a fix?

With the help of vScope,  you can list all machines that have CPU:s not manufactured by INTEL, ARM or AMD. Just look for the CPU Description tag to identify them.

Links

Microsoft Support – Windows 10 Update KB4056892

Microsoft Support – Windows server guidance to protect against the speculative execution

About Spectre

About Meltdown

About the attack

Anton Petersson

Customer Success

Contact Me

Try our free product vScope Limited

We have different trials and a free product of vScope. Contact us to find out more.

2018-08-13T08:09:22+00:00