Solarwinds MSP Script Check – Spectre
January 9, 2018 Leave a comment
Ah, Mr Bond I have been.. no that’s a different Spectre.
If you are reading this then you will know what Spectre is. It is of course a new, vulnerability announced in nearly every device on the planet. Possibly some on Mars and the ISS as well. Definitely on many you look after.
Skipping over the technical details of the problem, which are covered in far greater detail and by those with far superior expertise elsewhere, I wanted to focus on a quick check I implemented for our MSP clients.
Microsoft has determined that Third Party Anti Virus vendors must test their software, and confirm its compatibility with the patches as documented here. Once they are satisfied, it is on them to set a registry key on the client computers they protect to confirm the Spectre patch is ok to install.
For example, Sophos and Trend Micro will be testing this patch, once they are happy it is compatible they will set the registry key on your client computer.
Crucially, Client computers who do not have this key set will not receive any future security updates from Microsoft.
So it seemed to me a good idea to keep an eye on what systems have this key added and which don’t. Enter PowerShell and Solarwinds.
We can add a simple Script Check to report to the MSP Console the status of the registry key.
$regPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
$regVal = "cadca5fe-87d3-4b96-b7fb-a231484277cc"
try{
$regData = Get-ItemProperty $regPath -Name $regVal -ErrorAction Stop
if(($regData.$regVal) -ne 0)
{
Write-Warning "Registry Value Not set to Zero"
Exit 1001
}
else
{
Write-Output "Value Set Correctly"
Exit 0
}
}
catch
{
Write-Warning "Value Missing"
Exit 1001
}
This will report to our MSP portal any machine who has the value missing or incorrectly set.
Of course there are many tools available already for checking your environments (the Speculation Control PowerShell Module for one) and this is by no means an attempt at a replacement, this is just a very quick addition I added to our MSP tool so we can see at a glance what is happening.
It seems Sophos started to push out the registry key on January the 5th, and Trend Micro are suggesting it may be up to us administrators to take manual action to set the registry key, this may change when they complete their testing.
If you have an AMD CPU you should review the guidance in the link below before taking any action.
More Info:
- SANS Webcast: https://www.youtube.com/watch?v=8FFSQwrLsfE&t=731s
- SpectreAttack.com: https://spectreattack.com/
- Spectre Paper: https://spectreattack.com/spectre.pdf
- Windows Server Guidance: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
- Windows Client: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
- Microsoft Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002
- Sophos: https://community.sophos.com/kb/en-us/128053?elqTrackId=8c5e237a7b17450f9226db252ddc3bf6&elq=188b066d345c4e339cf8901b58c782c4&elqaid=2778&elqat=1&elqCampaignId=27145
- Trend Micro: https://success.trendmicro.com/solution/1119183-important-information-for-trend-micro-solutions-and-microsoft-january-2018-security-updates
- Windows & AMD Systems: https://support.microsoft.com/en-us/help/4073707/windows-operating-system-security-update-block-for-some-amd-based-devi
About Robert Pearman
Title (Required) 