mir/Hardware-and-Firmware-Security-Guidance
2
0
Fork 0
mirror of https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance synced 2025-08-22 01:57:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
iadgovuser1 2018-01-10 12:29:24 -05:00
parent 03dcbc5f02
commit fb5fae5218
5 changed files with 182 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CONTRIBUTING.md Normal file
View File

@ -0,0 +1,6 @@
All contributions to this project will be released as follows:
1. If you are a U.S. government employee, then your changes are exempt from copyright in the U.S. and will be released under the [CC0 1.0](https://creativecommons.org/publicdomain/zero/1.0/) [Universal license](https://creativecommons.org/publicdomain/zero/1.0/legalcode) worldwide.
1. If you are a not a U.S. government employee, then your changes will be released under the [CC0 1.0](https://creativecommons.org/publicdomain/zero/1.0/) [Universal license](https://creativecommons.org/publicdomain/zero/1.0/legalcode) in the U.S. and worldwide.
By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

9
DISCLAIMER.md Normal file
View File

@ -0,0 +1,9 @@
## Disclaimer of Warranty
This Work is provided "as is". Any express or implied warranties, including but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the United States Government be liable for any direct, indirect, incidental, special, exemplary or consequential damages (including, but not limited to, procurement of substitute goods or services, loss of use, data or profits, or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this Work, even if advised of the possibility of such damage.
The User of this Work agrees to hold harmless and indemnify the United States Government, its agents and employees from every claim or liability (whether in tort or in contract), including attorneys' fees, court costs, and expenses, arising in direct consequence of Recipient's use of the item, including but not limited to, claims or liabilities made for injury to or death of personnel of User or third parties, damage to or destruction of property of User or third parties, infringement or other violations of intellectual property or technical data rights.
Nothing in this Work is intended to constitute an endorsement, explicit or implied, by the United States Government of any particular manufacturer's product or service.
## Disclaimer of Endorsement
Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, in this Work does not constitute an endorsement, recommendation, or favoring by the United States Government and shall not be used for advertising or product endorsement purposes.

3
LICENSE.md Normal file
View File

@ -0,0 +1,3 @@
This Work was prepared by a United States Government employee and, therefore, is excluded from copyright by Section 105 of the Copyright Act of 1976.
Copyright and Related Rights in the Work worldwide are waived through the [CC0 1.0](https://creativecommons.org/publicdomain/zero/1.0/) [Universal license](https://creativecommons.org/publicdomain/zero/1.0/legalcode).

15
README.md
View File

@ -1,2 +1,13 @@
# Spectre-and-Meltdown-Guidance
Guidance for the Spectre and Meltdown vulnerabilities. iadgov
# Spectre and Meltdown Guidance
This repository provides content for aiding DoD administrators in verifying systems have applied and enabled mitigations for [Spectre](https://spectreattack.com/) and [Meltdown](https://meltdownattack.com/). The repository is companion to Information Assurance Advisory [Updated Guidance for Spectre and Meltdown Vulnerabilities Affecting Modern Processors](https://www.iad.gov/iad/library/ia-advisories-alerts/updated-guidance-for-spectre-and-meltdown-vulnerabilities-affecting-modern-processors.cfm). The files in this repository can be downloaded as a zip file [here](https://github.com/iadgov/Spectre-and-Meltdown-Guidance/archive/master.zip).
The main files of interest in the repository include:
* [windows/Verify-Meltdown-Mitigations-Windws-OS.audit](windows/Verify-Meltdown-Mitigations-Windows-OS.audit) - a custom Nessus audit file useful for DoD administrators who want to verify, using Nessus, Windows operating systems on their network have correctly enabled mitigations (acquire via the [ACAS](https://www.disa.mil/cybersecurity/network-defense/acas) program).
## Links
## License
See [LICENSE](./LICENSE.md).
## Disclaimer
See [DISCLAIMER](./DISCLAIMER.md).

151
windows/Verify-Meltdown-Mitigations-Windows-OS.audit Normal file
View File

@ -0,0 +1,151 @@
<check_type : "Windows" version : "2">
<group_policy : "Detects if Meltdown mitigations are enabled on Windows systems">
<custom_item>
type: AUDIT_POWERSHELL
description: "Detects if the Get-SpeculationControl PowerShell module is installed. The module is required for checking that system has Meltdown mitigations configured correctly"
info: "
For internet connected systems running modern versions of PowerShell (v5 on Windows 10 or Windows Server 2016):
1. Install from an administrative PowerShell prompt: Install-Module -Name SpeculationControl
The module will install to C:\Program Files\WindowsPowerShell\Modules\SpeculationControl\version number\ e.g. C:\Program Files\WindowsPowerShell\Modules\SpeculationControl\1.0.3\
or
For internet disconnected systems or or systems running older version of PowerShell:
1. Download from https://gallery.technet.microsoft.com/scriptcenter/Speculation-Control-e36f0050
2. From a PowerShell prompt, navigate to the location of SpeculationControl and type Unblock-File -Path .\SpeculationControl.zip
3. Copy SpeculationControl.psd1 and SpeculationControl.psm1 files to C:\Program Files\WindowsPowerShell\Modules\SpeculationControl\
The detection logic looks for either C:\Program Files\WindowsPowerShell\Modules\SpeculationControl\any version number\SpeculationControl.psm1 or C:\Program Files\WindowsPowerShell\Modules\SpeculationControl\SpeculationControl.psm1
"
value_type: POLICY_TEXT
value_data: ""
check_type: CHECK_NOT_EQUAL
powershell_args: "(Test-Path -Path ${env:ProgramFiles}\WindowsPowerShell\Modules\SpeculationControl\*\SpeculationControl.psm1) -or (Test-Path -Path ${env:ProgramFiles}\WindowsPowerShell\Modules\SpeculationControl\SpeculationControl.psm1)"
ps_encoded_args: NO
only_show_cmd_output: NO
severity: HIGH
</custom_item>
<custom_item>
type: AUDIT_POWERSHELL
description: "Detects if the firmware/BIOS has a Win32_BIOS.ReleaseDate is newer than 12/01/2017. If the ReleaseDate is older than that date, then a firmware update is needed for Meltdown"
info: "
See
"
value_type: POLICY_TEXT
value_data: 20171201
check_type: CHECK_GREATER_THAN_EQUAL
powershell_args: "([int]((Get-WmiObject -Class Win32_BIOS).ReleaseDate).ToString().SubString(0,8))"
ps_encoded_args: NO
only_show_cmd_output: NO
severity: HIGH
</custom_item>
<custom_item>
type: REGISTRY_SETTING
description: "Detects if the cadca5fe-87d3-4b96-b7fb-a231484277cc registry value, that denotes if the system antivirus product is compatible with the Meltdown operating system patches, is set."
info: "
If this value is not set, then the January 2018 patches, as well as all future updates for Windows, will not be applied via Windows Update. If using WSUS or SCCM or some other manual update mechanism, then this value does not need to be set.
This result can be ignored if patches are delivered via WSUS, SCCM, or some other patch management and deployment software.
Key: HKLM\Software\Microsoft\Windows\CurrentVersion\QualityCompat
Value Name: cadca5fe-87d3-4b96-b7fb-a231484277cc
Value Data: 0
Value Type: DWORD
"
value_type: POLICY_DWORD
value_data: 0
reg_key: "HKLM\Software\Microsoft\Windows\CurrentVersion\QualityCompat"
reg_item: "cadca5fe-87d3-4b96-b7fb-a231484277cc"
severity: HIGH
</custom_item>
<custom_item>
type: REGISTRY_SETTING
description: "Detects if the FeatureSettingsOverride registry value, that denotes if the system is configured to enable the mitigations delivered with the Meltdown operating system patches, is set."
info: "
If this value is not set, then the mitigations for the Meltdown patches are not fully enabled.
Key: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Value Name: FeatureSettingsOverride
Value Data: 0
Value Type: DWORD
"
value_type: POLICY_DWORD
value_data: 0
reg_key: "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management"
reg_item: "FeatureSettingsOverride"
severity: HIGH
</custom_item>
<custom_item>
type: REGISTRY_SETTING
description: "Detects if the FeatureSettingsOverrideMask registry value, that denotes if the system is configured to enable the mitigations delivered with the Meltdown operating system patches, is set."
info: "
If this value is not set, then the mitigations for the Meltdown patches are not fully enabled.
Key: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Value Name: FeatureSettingsOverrideMask
Value Data: 0
Value Type: DWORD
"
value_type: POLICY_DWORD
value_data: 3
reg_key: "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management"
reg_item: "FeatureSettingsOverrideMask"
severity: HIGH
</custom_item>
<if>
<condition type: "and">
<custom_item>
type: AUDIT_POWERSHELL
description: "Detects if the Get-SpeculationControl PowerShell module is installed. The module is required for checking that system has Meltdown mitigations configured correctly"
info: "
See
"
value_type: POLICY_TEXT
value_data: ""
check_type: CHECK_NOT_EQUAL
powershell_args: "(Test-Path -Path ${env:ProgramFiles}\WindowsPowerShell\Modules\SpeculationControl\*\SpeculationControl.psm1)"
ps_encoded_args: NO
only_show_cmd_output: NO
severity: HIGH
</custom_item>
<custom_item>
type: AUDIT_POWERSHELL
description: "Detects if the Branch Target Invocation (CVE-2017-5715) mitigation hardware/firmware support is present using the Get-SpeculationControl PowerShell module"
info: "
Executes (Get-SpeculationControlSettings).BTIHardwarePresent
If this check fails, then install a firmware update.
"
value_type: POLICY_TEXT
value_data: "True"
check_type: CHECK_NOT_EQUAL
powershell_args: "(Get-SpeculationControlSettings).BTIHardwarePresent"
ps_encoded_args: NO
only_show_cmd_output: NO
severity: HIGH
</custom_item>
</condition>
<then>
<report type : "PASSED">
description: "Branch Target Invocation (CVE-2017-5715) mitigation hardware/firmware support is present"
info : "Branch Target Invocation (CVE-2017-5715) mitigation hardware/firmware support is present"
</report>
</then>
<else>
<report type: "FAILED">
description: "SpeculationControl module must be installed"
info : "SpeculationControl module must be installed"
</report>
</else>
</if>
</group_policy>
</check_type>