Utility for mitigations CVE-2017-5715 and CVE-2017-5754 status check

Discussion in 'Operating Systems' started by mbk1969, Jan 10, 2018.

  1. mbk1969

    mbk1969 Ancient Guru

    Messages:
    11,491
    Likes Received:
    9,205
    GPU:
    GF RTX 2070 Super
    Thanks.
    Then I have only one explanation: with Spectre/Meltdown update for Windows Microsoft actually deployed support for parameters of NtQuerySystemInformation used in PowerShell script. And my copy of Windows 7 has not been patched.
     
  2. tsunami231

    tsunami231 Ancient Guru

    Messages:
    12,325
    Likes Received:
    989
    GPU:
    EVGA 1070Ti Black
  3. CrazY_Milojko

    CrazY_Milojko Ancient Guru

    Messages:
    2,428
    Likes Received:
    989
    GPU:
    Asus STRIX 1070 OC
    Haven't checked yet that mbk's tool but guess it doesn't have digital signature and Avast in most cases flags those as a potential threat.
     
  4. tsunami231

    tsunami231 Ancient Guru

    Messages:
    12,325
    Likes Received:
    989
    GPU:
    EVGA 1070Ti Black
    it probably not signed as avast say unknow for publisher

    I tried
    https://www.ashampoo.com/en/usd/pin/1304/security-software/spectre-meltdown-cpu-checker

    for timbeing till avast vaildates what ever it needs, it show meltdown is protected spectre isnt but i know that already, my query is why
    power shell
    Windows OS support for branch target injection mitigation is present: True

    tool
    Windows OS support for branch target injection mitigation is present:False

    my understanding it is OS patch is installed it should be true and that update was installed
     
    Last edited: Jan 12, 2018

  5. CrazY_Milojko

    CrazY_Milojko Ancient Guru

    Messages:
    2,428
    Likes Received:
    989
    GPU:
    Asus STRIX 1070 OC
    ...but in your case OS support (WU you've installed) wouldn't kick in because you're still using old version of BIOS for that Asrock Z170 Extreme 4 motherboard (latest BIOS 7.20 25.Jan.2017) of yours with old CPU microcodes that doesn't mitigate Meltown and Spectre security flaw. Full protection (except Spectre type 2 I guess) will kick in only in case with latest/fixed CPU microcodes + patched OS.

    edit
    Take a look at this article:
    https://support.microsoft.com/en-za...-of-get-speculationcontrolsettings-powershell
     
  6. tsunami231

    tsunami231 Ancient Guru

    Messages:
    12,325
    Likes Received:
    989
    GPU:
    EVGA 1070Ti Black
    you miss understanding what i am saying below are actual read outs from the tool and script

    tool
    Code:
    Speculation control settings for CVE-2017-5715 [branch target injection]
    
    Hardware support for branch target injection mitigation is present: False
    Windows OS support for branch target injection mitigation is present:False
    Windows OS support for branch target injection mitigation is enabled: False
    
    
    
    Speculation control settings for CVE-2017-5754 [rogue data cache load]
    
    Hardware requires kernel VA shadowing: True
    Windows OS support for kernel VA shadow is present: True
    Windows OS support for kernel VA shadow is enabled: True
    Windows OS support for PCID performance optimization is enabled: True [not required for security]
    
    
    
    Additional CPU information
    
    Name: Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz
    Description: Intel64 Family 6 Model 94 Stepping 3
    CPUID: 000506E3

    Code:
    PS C:\Windows\system32> Get-SpeculationControlSettings
    Speculation control settings for CVE-2017-5715 [branch target injection]
    
    Hardware support for branch target injection mitigation is present: False
    Windows OS support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is enabled: False
    Windows OS support for branch target injection mitigation is disabled by system policy: False
    Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
    
    Speculation control settings for CVE-2017-5754 [rogue data cache load]
    
    Hardware requires kernel VA shadowing: True
    Windows OS support for kernel VA shadow is present: True
    Windows OS support for kernel VA shadow is enabled: True
    Windows OS support for PCID optimization is enabled: True
    
    Suggested actions
    
     * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injectio
    n mitigation.
     * Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support
    .microsoft.com/help/4072698
    
    
    BTIHardwarePresent             : False
    BTIWindowsSupportPresent       : True
    BTIWindowsSupportEnabled       : False
    BTIDisabledBySystemPolicy      : False
    BTIDisabledByNoHardwareSupport : True
    KVAShadowRequired              : True
    KVAShadowWindowsSupportPresent : True
    KVAShadowWindowsSupportEnabled : True
    KVAShadowPcidEnabled           : True

    Note the part
    Windows OS support for branch target injection mitigation is present

    Script says one thing tool says another this entry tells if OS update was installed,
    and the OS update is installed other wise the "CVE-2017-5754 [rogue data cache load]" would be unproteced too, cause that changed to protected after the OS update
     
    Last edited: Jan 12, 2018
  7. CrazY_Milojko

    CrazY_Milojko Ancient Guru

    Messages:
    2,428
    Likes Received:
    989
    GPU:
    Asus STRIX 1070 OC
    OK, now I see you've edited/changed:
    Hardware support for branch target injection mitigation is present:False
    to:
    Windows OS support for branch target injection mitigation is present:False

    Hmmm... that's weird. Did you ran tool as admin? Guess you did... Time for mbk to step in...
     
  8. tsunami231

    tsunami231 Ancient Guru

    Messages:
    12,325
    Likes Received:
    989
    GPU:
    EVGA 1070Ti Black
    the tool i have i rann it in both admin and normal it said same thing, I still waiting on avast to do there test so new one pasts its test, its not that i dont trust his stuff it that I dont run anything avast flags, that i downloaded ingeneral short of it being program I been using for years and no for fact avast randomly flags it
     
  9. anticupidon

    anticupidon Ancient Guru

    Messages:
    6,299
    Likes Received:
    2,650
    GPU:
    Polaris/Vega/Navi
  10. mbk1969

    mbk1969 Ancient Guru

    Messages:
    11,491
    Likes Received:
    9,205
    GPU:
    GF RTX 2070 Super
    I assure you that I am not a genius who capable to implement malware in such short time span.
    Update: I downloaded utility at home and Defender (Win10) did not found any threats.

    Meanwhile I will update utility to my understanding of estimating OS without installed patches for those two mitigations.
     
    Last edited: Jan 12, 2018

  11. mbk1969

    mbk1969 Ancient Guru

    Messages:
    11,491
    Likes Received:
    9,205
    GPU:
    GF RTX 2070 Super
  12. tsunami231

    tsunami231 Ancient Guru

    Messages:
    12,325
    Likes Received:
    989
    GPU:
    EVGA 1070Ti Black
    your new verison tells me this
    Code:
    Speculation control settings for CVE-2017-5715 [branch target injection]
    
    Querying branch target injection information failed with error: 0xC0000003, The parameter is incorrect
    
    
    
    Speculation control settings for CVE-2017-5754 [rogue data cache load]
    
    Hardware requires kernel VA shadowing: True
    Windows OS support for kernel VA shadow is present: True
    Windows OS support for kernel VA shadow is enabled: True
    Windows OS support for PCID performance optimization is enabled: True [not required for security]
    
    
    
    Additional CPU information
    
    Name: Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz
    Description: Intel64 Family 6 Model 94 Stepping 3
    CPUID: 000506E3
    
    
    
    Additional OS information
    
    Name: Microsoft Windows 10 Pro
    Architecture: 64-bit
    Build: 15063
    SKU: 48
    Service Pack: 0.0

    ran normal or ran as admin.
     
  13. mbk1969

    mbk1969 Ancient Guru

    Messages:
    11,491
    Likes Received:
    9,205
    GPU:
    GF RTX 2070 Super
    http://www.mediafire.com/file/2321zihyiaefbzj/MitigationStatus.zip
    Updated a bit to suggest that in case (like yours) of error with code 0xC0000003 or 0xC0000002 corresponding patch is not installed.
    As a bonus I added a support for combination Ctrl+A to select the whole text (weird that I should do it manually for such standard edit control).

    If we look into the script we will see it too:
    Code:
            $retval = $ntdll::NtQuerySystemInformation($systemInformationClass, $systemInformationPtr, $systemInformationLength, $returnLengthPtr)
            if ($retval -eq 0xc0000003 -or $retval -eq 0xc0000002) {
                # fallthrough
            }
    
    So Microsoft guys know that if error code is 0xC0000003 or 0xC0000002 then patch is not installed.

    So I guess your Windows 10 has no that patch for CVE-2017-5715 installed. If you have some unpatched Windows in VMs you can test this theory there with updated version.
     
  14. tsunami231

    tsunami231 Ancient Guru

    Messages:
    12,325
    Likes Received:
    989
    GPU:
    EVGA 1070Ti Black
    well if powerscript speculationscontrol says it and this says it isnt i dont know, The KB with update is installed

    With out it

    Code:
    Speculation control settings for CVE-2017-5754 [rogue data cache load]
    
    Hardware requires kernel VA shadowing: True
    Windows OS support for kernel VA shadow is present: True
    Windows OS support for kernel VA shadow is enabled: True
    Windows OS support for PCID performance optimization is enabled: True [not required for security]
    
    
    
    
    would not be patched, cause before the KB it wasnt patched

    like said the actual script says its installed
     
  15. dr_rus

    dr_rus Ancient Guru

    Messages:
    3,110
    Likes Received:
    466
    GPU:
    RTX 3080
    Updated version is working fine here too:

    Code:
    Speculation control settings for CVE-2017-5715 [branch target injection]
    
    Hardware support for branch target injection mitigation is present: False
    Windows OS support for branch target injection mitigation is present:True
    Windows OS support for branch target injection mitigation is enabled: False
    Windows OS support for branch target injection mitigation is disabled by system policy: False
    Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
    
    
    
    Speculation control settings for CVE-2017-5754 [rogue data cache load]
    
    Hardware requires kernel VA shadowing: True
    Windows OS support for kernel VA shadow is present: True
    Windows OS support for kernel VA shadow is enabled: True
    Windows OS support for PCID performance optimization is enabled: True [not required for security]
    
    
    
    Additional CPU information
    
    Name: Intel(R) Core(TM) i7-6850K CPU @ 3.60GHz
    Description: Intel64 Family 6 Model 79 Stepping 1
    CPUID: 0x000406F1
    
    
    
    Additional OS information
    
    Name: Microsoft Windows 10 Pro
    Architecture: 64-bit
    Build: 16299
    SKU: 48
    Service Pack: 0.0
     

  16. mbk1969

    mbk1969 Ancient Guru

    Messages:
    11,491
    Likes Received:
    9,205
    GPU:
    GF RTX 2070 Super

    Try new version somewhere in VM where patch is not installed.
    Also it can be that mitigation for CVE-2017-5715 and mitigation for CVE-2017-5754 actually have different KBs. If you installed Cumulative Update then inside one KB there could be several KBs for each vulnerability.

    Update: Try this syntax in PowerShell

    Get-SpeculationControlSettings -Verbose

    and paste results here.
     
  17. tfam26

    tfam26 Guest

    Yeah, I have Win 10 1709 with all recent updates.

    So I uninstalled the VMWare version of the micro code because I heard v23 (4790k) was buggy.

    Now when I try the updated installer this is what I get:



    Speculation control settings for CVE-2017-5715 [branch target injection]

    Querying branch target injection information failed with error: 0xC0000003, The parameter is incorrect
    Most probably patch for CVE-2017-5715 was not installed



    Speculation control settings for CVE-2017-5754 [rogue data cache load]

    Hardware requires kernel VA shadowing: True
    Querying kernel VA shadow information failed with error: 0xC0000003, The parameter is incorrect
    Most probably patch for CVE-2017-5754 was not installed




    I'm really dumb with this stuff... any suggestions? Also thank you for the feedback and all your hard work in general man.
     
  18. dr_rus

    dr_rus Ancient Guru

    Messages:
    3,110
    Likes Received:
    466
    GPU:
    RTX 3080
    Unlikely as security updates are cumulative so if you have the latest build of Windows 10 release branch then you should have all of updates.
     
  19. mbk1969

    mbk1969 Ancient Guru

    Messages:
    11,491
    Likes Received:
    9,205
    GPU:
    GF RTX 2070 Super
    Well, as it is called "cumulative" we can assume that it is kinda container KB with KBs for each fix inside.
     
  20. mbk1969

    mbk1969 Ancient Guru

    Messages:
    11,491
    Likes Received:
    9,205
    GPU:
    GF RTX 2070 Super
    Ok, I will try new ideas.. Give me 30 minutes...
     

Share This Page