ionescu007 / specucheck Goto Github PK

"SpecuCheck is a Windows utility for checking the state of the software mitigations and hardware against CVE-2017-5754 (Meltdown), CVE-2017-5715 (Spectre v2), CVE-2018-3260 (Foreshadow), and CVE-2018-3639 (Spectre v4)"

Foreshadow is covered by CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646 I believe.

A Google search for this ID basically all points back to hear in one form or another.
https://www.google.com/search?q=%22CVE-2018-3260%22&oq=%22CVE-2018-3260%22&aqs=chrome..69i57.607j0j4&sourceid=chrome&ie=UTF-8

Can you point to the CVE-2018-3260 provenance? Thanks!

I tried to run the binary on a Windows 8.1 and 10 x64 (also compiled it myself) and it is failing with the error:
Your system either does not have the appropriate patch, or it may not support the information class required.

At line: https://github.com/ionescu007/SpecuCheck/blob/master/specucheck.c#L225
the query fails with error code -3.

From where can you deduce with certainty that the vulnerability is there? From the fact that all Windows versions had all the vulnerabilities?

If so, the code stops at the first check. Isn't it possible that the second vulnerability has been patched already? In this case, wouldn't be better to have the result for the second check if the first one failed?

Thank you,
Adrian Vladu

 C:\Users\Alex>D:\downloads\SpecuCheck.exe
SpecuCheck v1.0.0 -- Copyright (c) 2018 Alex Ionescu
http://www.alex-ionescu.com - @aionescu
----------------------------------------------------

Your system either does not have the appropriate patch, or it may not support the information class required.
 
C:\Users\Alex>

windows 7 sp1 64bit, AMD 6 core CPU

The EXE does not write anything to an output file if I redirect output to a file on the command line. Any way you can allow this or add an option to write plain text results to a file? This would ease scripting. Thanks!

Triggered by Intel MicroSoft tried to amuse us with KB4078130, it's apparently a 25 KB exe doing something on Windows 7/8.1/10. Whatever it does, it's not listed as installed after running it, wmic qfe list full|find "HotFixID=KB4078130" yields nothing, and the output of specucheck apparently isn''t affected by it.

Iff you know a way to detect this beast (must be in the registry) and it would take less than the proverbial five minutes to add it as feature to specucheck, please do,

README does not specify visual studio version. I found this WILL build with Visual Studio 2017, but that you need the Win10 DDK installed, I get a "cannot open input file ntdllp.lib" error. I found this file in the Win10 SDK.

Anyone wanting to build this from sources with VS 2017, here are steps:

1. install Windows 10 device driver kit (after installing vs 2017, with C++ option selected)

2. either copy ntdllp.lib manually into your solution folder, or better yet, add the proper DDK library folders to your library search path.

Blog link http://www.alex-ionescu.com is pointing to http://www-alex.ionescu.com/ instead of http://www.alex-ionescu.com/

in windows 7 cmd there is no color, just black and white.
So it is difficult to see if "yes" or "no" is a good status.

Is it possible to extend each line with "(safe)" or "(insecure)"?

thx

This is not an issue - rather I wanted to say that this project is useful even beyond Microsoft's officially supported PowerShell modules, as Install-Module requires at least PowerShell 3.0 which not all of my Window servers support, so this EXE provides a nice method to check the status without having to worry about incompatibilities if I install WMF 3.0 or higher. Thank you for it! ;)

I tried to use SpecuCheck on 64-bit Windows 10 Pro 1703 (build 15063.850) with KB4056891 installed. The latest SpecuCheck v1.0.4 (which is released only as a 32-bit binary) fails to show any information about the Spectre vulnerability:

SpecuCheck v1.0.4   --   Copyright(c) 2018 Alex Ionescu
https://ionescu007.github.io/SpecuCheck/  --  @aionescu
-------------------------------------------------------

Mitigations for CVE-2017-5754 [rogue data cache load]
-------------------------------------------------------
[-] Kernel VA Shadowing Enabled:                    yes
 ├───> with User Pages Marked Global:               yes
 └───> with PCID Flushing Optimization (INVPCID):    no

Your system either does not have the appropriate patch, or it may not support the information class required.

Version 1.0.3 and the 32-bit version 1.0.2 also show the same error. However, the 64-bit SpecuCheck v1.0.2 works properly on this system:

SpecuCheck v1.0.2 -- Copyright (c) 2018 Alex Ionescu
http://www.alex-ionescu.com - @aionescu
----------------------------------------------------

Mitigations for CVE-2017-5754 [rogue data cache load]
-----------------------------------------------------
Kernel VA Shadowing Enabled: yes
Kernel VA Shadowing with User Pages Marked Global: yes
Kernel VA Shadowing with PCID Support: no
Kernel VA Shadowing with INVPCID Support: no

Mitigations for CVE-2017-5715 [branch target injection]
-------------------------------------------------------
Branch Prediction Mitigations Enabled: no
Branch Prediction Mitigations Disabled due to System Policy: no
Branch Prediction Mitigations Disabled due to No Hardware Support: yes
CPU Supports Speculation Controls: no
CPU Supports Speculation Commands: no
IBRS Speculation Control Present: no
STIBP Speculation Command Present: no
Supervisor Mode Execution Prevention Present: no

(The CPU is i5-2300, which supports PCID without INVPCID, and does not have the required microcode update,)

The release notes for 1.0.3 say "the WoW64 subsystem supports this system call"; apparently this is not the case at least for Windows 10 version 1703.

I apologize if this is the wrong place to ask this, I don't know where else to go with this question.

For me on W7x64 with i7-4710HQ your very helpful utility shows that Kernel VA Shadowing is enabled with no PCID/INVPCID support:

[-] Kernel VA Shadowing Enabled:                    yes
 ├───> with User Pages Marked Global:               yes
 ├───> with PCID Support:                            no
 └───> with INVPCID Support:                         no

But according to a HWiNFO report on my PC and also other resources I can see that both these features are supported on my CPU.

Is it just a case of MS focusing their resources atm on fully supporting modern processors in their patches, or is there no hope that a later update would extend these KVAS optimizations for older CPUs?

Hi, I (Win7, 64 - not yet patched) just dld SpecuCheck.exe and started it in the admin console and got this:

SpecuCheck v1.0.3 -- Copyright(c) 2018 Alex Ionescu
https://ionescu007.github.io/SpecuCheck/ -- @aionescu

Your system either does not have the appropriate patch, or it may not support the information class required.

My cpu is the quite old: Intel(R) Core(TM)2 Extreme CPU Q9300 @ 2.53GHz
It should be among the problematic bunch of Intel CPUs. :(
Am I doing something wrong?

I'm seeing PCID on "no" with a CPU (i5-2500k) that absolutely supports it (MS's script agrees with your program).

Coreinfo confirms that it is there, however, which should eliminate it being a firmware issue.

This occurs either on the latest Windows Insider build or Window 1709 (with the latest CU).

Is there a Windows setting, perhaps, to enable PCID (and INVPCID, for that matter)?

Will this work on under wine on MacOS ?