Meltdown and Spectre (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754)

To scan for and report on the Meltdown and Spectre vulnerabilities, complete the following steps.

Create a custom scan template that checks for each of the CVE IDs

There are currently three IDs associated with these vulnerabilities:

  • CVE-2017-5715
  • CVE-2017-5753
  • CVE-2017-5754

In the Security Console, open the menu and click the Administration tab. Under Scan Options and next to Templates, click Manage. Browse to the Full audit enhanced logging without Web Spider template and click the stacked page icon on the right side of your screen. This will copy the scan template for your use.

TIP

Give your scan template a name so that it can be easily identified.

Add individual checks to the template

On the Scan Template Configuration screen, click the Vulnerability Checks tab. Under Selected Checks, expand the By Individual Check option. Click the Add Checks button. The Search for Vulnerability Checks window will appear.

NOTE

The following search procedure must be completed for each individual CVE ID. This will ensure that all relevant vulnerability checks are included in the scan template.

  1. Enter one CVE ID in the text field (including all hyphens). Make sure the Include all words in each result box is checked. Click Search. A list of vulnerability checks will display.
  2. Click the master check box (located just to the left of the Vulnerability Check column label). This will select all checks that were returned by your search criteria.
  3. At the bottom of the window, click Save.
  4. Repeat these steps for all other individual CVE IDs, if necessary.

IMPORTANT

When repeating the process for multiple CVE IDs, you may see some overlap in the number of vulnerability checks that are associated with each. As a result, subsequent searches might show several vulnerability checks that are already selected. Always reapply the master check box at the top of the list when running additional searches.

This will ensure that vulnerability checks unique to that CVE ID are selected. Checks that were already added earlier will not be double-counted.

Remove all checks by category and type

Now that the template is configured for specific vulnerability checks, all other default checks can be removed. Complete the following steps for both the By Category and By Check Type dropdowns:

  1. Expand the dropdown. Click the Remove (Categories or Check Types) button.
  2. Click the master check box to select all rows.
  3. At the bottom of the window, click Save.

This will ensure that only the individual checks are loaded for scanning.

Create a Dynamic Asset Group (DAG) for assets vulnerable to this attack

On the Home screen of the Security Console, scroll to the Asset Groups window. Click the New Dynamic Asset Group button. The Filtered Asset Search screen will be shown. Specify the 'CVE ID' 'is' filter for each of the required CVE IDs:

  • 'CVE ID' 'is' CVE-2017-5715
  • 'CVE ID' 'is' CVE-2017-5753
  • 'CVE ID' 'is' CVE-2017-5754

Adjust the Match dropdown to show "(any) of the specified filters."

Click Search. Click Create Asset Group to save a DAG based on the filter criteria.

REQUIREMENT

Credentials are required for this scan. Make sure that credentials have been added to the site configuration before scanning.

Create a SQL report to list assets affected by any of the CVE IDs

Click the Reports tab in the Security Console. Under Template, select the Export tab. Browse to and select SQL Query Export. Click the field below SQL Query Export Configuration. The Define a SQL Query window will appear.

Input the following query:

sql
1
SELECT da.ip_address AS "IP Address", da.host_name AS "Host Name", dv.title AS "Title", dv.description AS "Description", dv.severity AS "Severity"
2
FROM dim_vulnerability dv
3
JOIN dim_asset_vulnerability_solution das USING(vulnerability_id)
4
JOIN dim_asset da USING(asset_id)
5
WHERE title ILIKE '%2017-5715%' OR title ILIKE '%2017-5754%' OR title ILIKE '%2017-5753%'

Click Validate to make sure the query was input correctly. You can also retrieve the first ten records with the Preview button, if desired. Click Done.

Finally, give the SQL report a name and select the desired scope. Click Save & Run the Report. You can also choose to save the report to be run at a later time.

For more information on the Meltdown and Spectre vulnerabilities, please see our blog post:

https://blog.rapid7.com/2018/01/04/meltdown-and-spectre-what-you-need-to-know-cve-2017-5715-cve-2017-5753-cve-2017-5754/