This post was originally published here by alex mandernack.
Authors:
Alex Mandernack, Security Engineer, CloudPassage
Sean Nicholson, Security Engineer, CloudPassage
As news breaks of yet another critical vulnerability, security personnel are scrambling to find a way to detect and remediate these vulnerabilities as quickly as possible. If you are a CloudPassage Halo customer, finding these vulnerabilities in your environment becomes a very simple task. Specifically, utilizing Halo Software Vulnerability Assessment (SVA) and Configuration Security Management (CSM), discovering these vulnerabilities is easy.
For Linux instances, all you would need to do is use the server filter “CVE Present=” and search for servers with the specified CVEs. Depending on your scan schedule, you may have to initiate a on-demand SVA scan of all servers. Here’s a link to manually scan servers. It requires a Halo portal login.
This filtered list can be easily exported into a CSV and then provided to your DevOps or System Admins for fast remediation. This can also be integrated in an automation tool via the Halo API for faster remediation.
Quickly detecting Spectre in your Windows server instances is greatly simplified by using Halo SVA and a CSM policy with the following two registry key value checks:
Rule Name: Spectre fix present
*Make sure to mark the rule as critical
Check Name: Registry Key Value Setting
Once the policy is created, assign it to the root group of your portal with inherit down enabled and then run a CSM scan across all Windows Server instances. This can be easily done by clicking on the root group and then clicking on the Servers view tab. In the Servers view tab apply a filter “OS Type=Windows.” Then select the first server in the list and scroll to the last server. Once the list is fully loaded, hold shift and click the last server in the list. Once all servers are selected, right click any server and click Launch Scan. Select Configuration Scan from the overlay screen and click scan. The CSM scans should be completed in a couple of minutes.
Then you can view the servers vulnerable to Spectre, as well as whether the fix has been put in place and configured correctly, by filtering the issue list for the failed CSM check.
Clicking on the number of servers will provide a list of servers that are vulnerable to Spectre and will show the servers where the fix is applied.
Verifying protections are enabled
To help confirm whether protections have been enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands:
Steps needed to fully protect against Spectre on Microsoft Windows:
- Apply the Windows operating system update. For details on how to enable this update, see Microsoft Knowledge Base Article 4072699
- Make necessary configuration changes to enable protection
- Apply an applicable firmware update from the OEM device manufacturer
Vendor Links
- https://access.redhat.com/security/vulnerabilities/speculativeexecution
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
- https://alas.aws.amazon.com/ALAS-2018-939.html
- https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
CVE Reference
- CVE-2017-5715 (branch target injection)
- CVE-2017-5753 (bounds check bypass)
- CVE-2017-5754 (rogue data cache load)
Spectre Halo CSM Policy
If you would like to import the Halo CSM policy referenced in this article, you can download it from our CloudPassage Github through the link below:
https://github.com/cloudpassage/Detection-and-remediation-of-Spectre-and-Meltdown
If you have any questions or concerns with this, please don’t hesitate to contact CloudPassage support.
Photo:Panda Security