With all the latest news and updates on the Spectre and Meltdown CPU bugs, it’s sometimes hard to get the right information to the table. Patches are provided (and removed in some cases) by software- and hardware vendors. Some patches are deployed automatically as part of an automated update mechanism, while other patches involve manual interaction.
At the end you want to verify if you’ve applied the available patches in the right way. There are some test/verification scripts available that can help you with this. I will provide you with some of these scripts in this article.
For Microsoft Windows there’s a Powershell module available. Installation is straightforward:
Running the test is even simpler:
# Save the current execution policy so it can be reset $SaveExecutionPolicy = Get-ExecutionPolicy Set-ExecutionPolicy RemoteSigned -Scope Currentuser Import-Module SpeculationControl Get-SpeculationControlSettings # Reset the execution policy to the original state Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser
The test cmdlet will provide you with the following information:
Details are included on:
- Is the patch applied to the Windows OS;
- Is the patch enabled on the Windows OS;
- Is the patch active on the Windows OS.
For exact interpretation of the results, please refer to Microsoft support article 4074629. For patching Windows Server OSes I refer to support article 4072698, which contains links to the available KBs for the different versions of the Windows Server OS. Note that there’s currently no patch available for Windows Server 2008 and 2012. You can download the patch for your OS from the Microsoft Update Catalog (in my experience patches were not automatically deployed), links are in article 4072698.
For Linux a test shell script can be downloaded using wget:
$ cd /tmp/ $ wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
Another option is to get the script through git:
$ git clone https://github.com/speed47/spectre-meltdown-checker.git
Run the script:
$ sudo sh spectre-meltdown-checker.sh
And you will get the following result:
Patch procedure depends on the used distribution. More information here.
The first function verifies both ESXi hosts and VMs and provides the output from the VM’s point of view. The second function only verifies that the ESXi microcode has been applied (this could have come a hardware vendor BIOS/Firmware update) but as mentioned earlier, it is also bundled within the ESXi patch (source).
Note that for now microcode updates (deployed through the BIOS/firmware) are removed because of a bug.
Download the script here and run it (you need PowerCLI to be installed):
Connect-VIServer vcenter.viktorious.local . .\VerifyESXiMicrocodePatch.ps1 Verify-ESXiMicrocodePatchAndVM Verify-ESXiMicrocodePatch
The result will look like this:
For information about this script, please continue reading at William’s website. Information on available VMware patches is published in the following knowledge base articles and security advisories: KB 52245 (read this one first), KB 52345 (about the pulled patches), KB 52085 (also about the pulled patches), VMSA-2018-0002 and VMSA-2018-0004.