* Information to assess the risk (CPU, Hyper-V, Terminal Server, Docker)
* Information for troubleshooting (Hardware Manufacturer and Model, Registry Keys, Uptime, Installed Hotfixes, ...)
It requires `PowerShell 2.0 or later` and `PSRemoting` enabled on remote systems.
The script includes [Get-SpeculationControlSettings](https://www.powershellgallery.com/packages/SpeculationControl/1.0.2/Content/SpeculationControl.psm1) from Microsoft and [Invoke-Parallel](https://github.com/RamblingCookieMonster/Invoke-Parallel) from [RamblingCookieMonster](https://github.com/RamblingCookieMonster). All credits for these functions go to them. Thank you!
This highly relies on the information from [Spectre still unfixed, unlike what Intel says](https://gist.github.com/woachk/2f86755260f2fee1baf71c90cd6533e9) and [CPU security bugs caused by speculative execution](https://github.com/marcan/speculation-bugs/blob/master/README.md). I highly recommend to read them.
*Note: Not every mitigation, especially for CVE-2017-5753, is of the same quality. As the root cause relies in the CPU, all these mitigations are not really a **fix** to the actual problem. Mitigation means, it's "more difficult to exploit", and not every mitigation makes it equally difficult. The report only knows `true` or `false` for the mitigation. `true` is usually considered as "as good mitigated as currently possible"*
Is `true` if CVE-2017-5754 mitigated if `KVAShadowRequired` is `false`, or if both, `KVAShadowWindowsSupportPresent` and `KVAShadowWindowsSupportEnabled` are `true`. The test are actually done by [Get-SpeculationControlSettings](https://www.powershellgallery.com/packages/SpeculationControl/1.0.2/Content/SpeculationControl.psm1)].
Is `true` if `BTIHardwarePresent`, `BTIWindowsSupportPresent`, and `BTIWindowsSupportEnabled` are `true`. The test are actually done by [Get-SpeculationControlSettings](https://www.powershellgallery.com/packages/SpeculationControl/1.0.2/Content/SpeculationControl.psm1)]
The list of updates was obtained from [ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002).
The list of updates was obtained from [ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002).
Also see [Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer](https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/) for details.
Is `empty` if IE was not found.
### CVE-2017-5753 mitigated in Chrome (aka Spectre Variant 1)
Is `true` if `C:\Program Files (x86)\Google\Chrome\Application\chrome.exe` is version >=64, or 63 and `Site Isolation` is enabled by policy.
See [Google’s Mitigations Against CPU Speculative Execution Attack Methods](https://support.google.com/faqs/answer/7622138), [Actions Required to Mitigate Speculative Side-Channel Attack Techniques](https://www.chromium.org/Home/chromium-security/ssca) for details.
Read more about [Site Isolation](https://www.chromium.org/Home/chromium-security/site-isolation) and enable if desired as follows:
`HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\SitePerProcess` is `1`.
See also [Policy List/SitePerProcess](https://www.chromium.org/administrators/policy-list-3#SitePerProcess).
Is `empty` if Chrome was not found.
### CVE-2017-5753 mitigated in Firefox (aka Spectre Variant 1)
See [Mitigations landing for new class of timing attack](https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/) for details.
*Note: Mozilla has not released a fully patched version of Firefox ESR. However, the ESR is less susceptible to Spectre than the Rapid release. The Spectre vulnerability mitigation is due with the release of ESR 52.6.0 (expected 1/23/18.) See [Mitigations landing for new class of timing attack](https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/) for details*
BTI is *Branch Target Injection* as described in [CVE-2017-5715](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715) alias [Spectre](https://spectreattack.com/) (Variant 2).
KVA or Kernel VA (also known as KPTI (Kernel page-table isolation) or KAISER) removes the mapping of kernel memory in user space process and thus mitigates the practical explotation of [CVE-2017-5754](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754) alias [Meltdown](https://meltdownattack.com/).
As per [Windows Server guidance to protect against speculative execution side-channel vulnerabilities](https://support.microsoft.com/help/4072698
):
> Customers need to enable mitigations to help protect against speculative execution side-channel vulnerabilities.
>
> Enabling these mitigations may affect performance. The actual performance impact will depend on multiple factors, such as the specific chipset in your physical host and the workloads that are running. Microsoft recommends that customers assess the performance impact for their environment and make necessary adjustments.
`OSMitigationRegKeySet` is `true` if the values for the registry key `Memory Management` are set as required, i.e. `FeatureSettingsOverride` is `0` and `FeatureSettingsOverrideMask` is `3`.
As per [Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software](https://support.microsoft.com/help/4072699), the security updates are only installed, if the registry value `cadca5fe-87d3-4b96-b7fb-a231484277cc` is present in `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat`.
The value is either set by the the installed Anti-Virus, or must be set manually if no Anti-Virus is installed.
To add the value manually, you can use the following line of PowerShell:
If Hyper-V is installed, an additional Registry value has to be taken care of.
`MinVmVersionForCpuBasedMitigations` is the value of the minimum supported VM version for CVE-2017-5715 fix of VM guests. If Hyper-V is not active, it's `empty`.
From [Protecting guest virtual machines from CVE-2017-5715 (branch target injection)](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms)
> By default, virtual machines with a VM version below 8.0 will not have access to updated firmware capabilities required to mitigate CVE-2017-5715. Because VM version 8.0 is only available starting with Windows Server 2016, users of Windows Server 2012 R2 or earlier must modify a specific registry value on all machines in their cluster.
To give every VM version access to the updated firmware capabilities, you can use the following PowerShell code:
```powershell
if ((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization' -ErrorAction SilentlyContinue).MinVmVersionForCpuBasedMitigations) {
*Note: A cold reboot of each VM is required. Rebooting the OS from inside the Guest is not sufficient to make the setting effective. You have to Turn the machine off and on again.
This can be considered as the Hyper-V Guest equivalent to "microcode CPU update from hardware OEM".