27Eyl
Spectre Mitigations Output for sucessful patch
I got the results of an internal pentest at my company and the job to fix it. The paper they gave me looked like the output i got from microsofts speculativecontrol powershell script from https://github.com/microsoft/SpeculationControl
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: True
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware is vulnerable to rogue data cache load: True
Windows OS support for rogue data cache load mitigation is present: True
Windows OS support for rogue data cache load mitigation is enabled: False
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: False
Speculation control settings for CVE-2018-3639 [speculative store bypass]
Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is enabled system-wide: False
Speculation control settings for CVE-2018-3620 [L1 terminal fault]
Hardware is vulnerable to L1 terminal fault: False
Speculation control settings for MDS [microarchitectural data sampling]
Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: True
Windows OS support for MDS mitigation is enabled: False
Speculation control settings for SBDR [shared buffers data read]
Windows OS support for SBDR mitigation is present: True
Hardware is vulnerable to SBDR: True
Windows OS support for SBDR mitigation is enabled: False
Speculation control settings for FBSDP [fill buffer stale data propagator]
Windows OS support for FBSDP mitigation is present: True
Hardware is vulnerable to FBSDP: True
Windows OS support for FBSDP mitigation is enabled: False
Speculation control settings for PSDP [primary stale data propagator]
Windows OS support for PSDP mitigation is present: True
Hardware is vulnerable to PSDP: True
Windows OS support for PSDP mitigation is enabled: False
Suggested actions
* Follow the guidance for enabling Windows Server support for speculation control mitigations described in https://support.microsoft.com/help/4072698
BTIHardwarePresent : True
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : True
BTIDisabledByNoHardwareSupport : False
BTIKernelRetpolineEnabled : False
BTIKernelImportOptimizationEnabled : False
RdclHardwareProtectedReported : True
RdclHardwareProtected : False
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : False
L1TFHardwareVulnerable : False
L1TFWindowsSupportPresent : True
L1TFWindowsSupportEnabled : False
L1TFInvalidPteBit : 45
L1DFlushSupported : True
HvL1tfStatusAvailable : False
HvL1tfProcessorNotAffected : False
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : True
MDSWindowsSupportEnabled : False
FBClearWindowsSupportPresent : True
SBDRSSDPHardwareVulnerable : True
FBSDPHardwareVulnerable : True
PSDPHardwareVulnerable : True
FBClearWindowsSupportEnabled : False
After i applied the fixes mentioned at https://support.microsoft.com/en-au/topic/kb4072698-windows-server-and-azure-stack-hci-guidance-to-protect-against-silicon-based-microarchitectural-and-speculative-execution-side-channel-vulnerabilities-2f965763-00e2-8f98-b632-0d96f30c8c8e and did a restart of the server the output looked like that.
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware is vulnerable to rogue data cache load: True
Windows OS support for rogue data cache load mitigation is present: True
Windows OS support for rogue data cache load mitigation is enabled: True
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: True [not required for security]
Speculation control settings for CVE-2018-3639 [speculative store bypass]
Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is enabled system-wide: True
Speculation control settings for CVE-2018-3620 [L1 terminal fault]
Hardware is vulnerable to L1 terminal fault: False
Speculation control settings for MDS [microarchitectural data sampling]
Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: True
Windows OS support for MDS mitigation is enabled: True
Speculation control settings for SBDR [shared buffers data read]
Windows OS support for SBDR mitigation is present: True
Hardware is vulnerable to SBDR: True
Windows OS support for SBDR mitigation is enabled: True
Speculation control settings for FBSDP [fill buffer stale data propagator]
Windows OS support for FBSDP mitigation is present: True
Hardware is vulnerable to FBSDP: True
Windows OS support for FBSDP mitigation is enabled: True
Speculation control settings for PSDP [primary stale data propagator]
Windows OS support for PSDP mitigation is present: True
Hardware is vulnerable to PSDP: True
Windows OS support for PSDP mitigation is enabled: True
BTIHardwarePresent : True
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : True
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
BTIKernelRetpolineEnabled : False
BTIKernelImportOptimizationEnabled : False
RdclHardwareProtectedReported : True
RdclHardwareProtected : False
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled : True
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : True
L1TFHardwareVulnerable : False
L1TFWindowsSupportPresent : True
L1TFWindowsSupportEnabled : True
L1TFInvalidPteBit : 45
L1DFlushSupported : True
HvL1tfStatusAvailable : False
HvL1tfProcessorNotAffected : False
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : True
MDSWindowsSupportEnabled : True
FBClearWindowsSupportPresent : True
SBDRSSDPHardwareVulnerable : True
FBSDPHardwareVulnerable : True
PSDPHardwareVulnerable : True
FBClearWindowsSupportEnabled : True
But my chef now says its not fixed and i am not shure neither. Can someone approve or decline it?