Updated – 1/19/2018 – 9:25am – Added Hyper-V, Guest Virtual Machines information and HPE has revoked the 2.54 BIOS Update!
Happy New Year folks!
We started the new year with a big surprise in terms of security. As you may have read the news that certain processors are vulnerable to certain attacks. It’s very rare that processors are vulnerable, but unfortunately, attackers are constantly looking for any window to jump in.
This vulnerability is known as Speculative Execution Side-Channel Vulnerabilities (Meltdown and Spectre) which they refer to a hardware bug in the CPU which also affects a wide variety of Operating Systems including Windows (Server & Client), Android, Chrome, iOS and MacOS. Yes, all operating systems!
Intel also isn’t the only vendor affected. One vulnerability, named Spectre, was found in AMD and ARM-based chips, too. The other vulnerability, dubbed Meltdown, was found mostly in Intel processors as far back as 1995; it’s unclear whether AMD or ARM-based chips have the same problem.
This flaw involves two vulnerabilities that can be used to steal your passwords, emails, and any other sensitive data you have on your computer, according to the security researchers who uncovered the bugs.
In this post, I will share with you all the information that I gathered during my research, and what you want to do to protect against the speculative execution side-channel vulnerabilities for Windows OS.
The Microsoft Security Response Center (MSRC) has responded quickly and released several updates to help mitigate these vulnerabilities. The good news is, Microsoft has not received any information to indicate that these vulnerabilities have been used to attack customers at this time. However, Microsoft continues to work closely with industry partners including chip CPU makers, hardware OEMs, and app vendors to protect customers.
To address these issues, Microsoft has worked in partnership with the hardware industry to develop mitigations and guidance.
So what are the recommended actions to mitigate against the speculative execution for Windows Server, Windows Client, and Microsoft Azure.
- If you are running an antivirus (AV) on your machine, you need to verify you are running a supported AV application before you install OS or firmware updates. Check with your antivirus software vendor for any compatibility issue. As of this writing, the community has made a spreadsheet for Windows antivirus patch compatibility – until AV vendors add support you remain vulnerable.
- Microsoft recommends installing a supported Anti-Virus application, because customers will NOT receive these security updates and will not be protected from security vulnerability unless their Anti-Virus software vendor sets the following registry key. You can find more information here. Note: The following registry key is required on Windows Server and Windows Client no matter if you have Anti-Virus or not. Microsoft is also pushing this AV Reg key via Definition Update for Windows Defender Antivirus.
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
- You need to make sure to apply all available Windows operating system updates including the January 2018 Windows security updates. This update will be downloaded and installed automatically from Windows Update. To get the standalone package for this update, you need to check which Windows 10 and Windows Server version are you running, then you need to download the appropriate version based on your processor architecture (x86/x64/ ARM64):
- If you are running an older Windows version, please check here:
- And the most important part of this protection is to apply the applicable firmware (BIOS/UEFI) update provided by your device manufacturer. Because the microcode is delivered through a firmware update. Please consult with your device manufacturer about the firmware version that has the appropriate update for your CPU. Customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January security updates, a processor microcode, or firmware, update is required. The good news is, Microsoft has started to provide UEFI updates via Windows Update for their entire Surface devices such as (Surface Pro, Surface Book, Surface Studio, Surface Laptop). The bad news is, many OEM vendors did not release the fix yet. Still too early, all vendors have to take time to develop this fix. And fixies will probably slow machines down! Hewlett-Packard Enterprise (HPE) has released a document which includes the list of all HPE ProLiant servers affected by this vulnerability. This document is subject to change and will be updated as soon as more details are available. HPE has revoked the 2.54 Bios update for the DL380 Gen9 because of “Quality Issues”.
- What about if you are running your workloads in Azure. Microsoft has already deployed mitigations across the majority of cloud services and is accelerating efforts to complete the planned maintenance. More details are available here.
- What about Windows-based virtual machines that are running on-premises, in Azure Stack or in Microsoft Azure? Users should continue to apply security best practices for their VM images, and apply all available operating system updates to the VM images. Contact the vendor of your operating systems for updates and instructions, as necessary. For Windows VM customers, guidance has now been published and is available in this Security Update Guide.
- If you are running Windows Server with any of the following roles, you need to enable the mitigation in the registry settings to help protect against speculative execution side-channel vulnerabilities. The following registry keys are only needed for Windows Servers.
- Hyper-V Hosts. Please note that live migration between patched and unpatched hosts may fail. Please check this guidance for more information to protect guest virtual machines.
- Remote Desktop Services Hosts (RDSH)
- Physical hosts or virtual machines that are running “untrusted code” such as containers or untrusted extensions for database, untrusted web content or workloads that run code that is provided from external sources.
# To Enable the fix reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f # If this is a Hyper-V host: fully shutdown all Virtual Machines. # Restart the server for changes to take effect. # To Disable this fix reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f # Restart the server for the changes to take effect. # Note: There is no need to change MinVmVersionForCpuBasedMitigations.
- Microsoft also released and published a script to the PowerShell Gallery called (SpeculationControl) that will help customers to verify if they are protected against this vulnerability. What you want to do is to fire up Windows PowerShell as administrator and run the following command:
# Install the PowerShell module Install-Module SpeculationControl # Run the PowerShell module to validate protections are enabled Get-SpeculationControlSettings
When I ran this script on my HP ELITEBOOK before installing KB4056892, I received the following output showing that I am NOT protected.
After I installed the lasted Windows security updates, I received a different output with OS kernel protection is present, but I am still not protected, because HP did not release the appropriate firmware for my device yet!
Please consult with the vendor of your operating systems for updates and instructions, as needed. And don’t forget to patch Anti-Virus, OS and Firmware! Until OEM vendors add support for their processors you remain vulnerable.
Until then… Stay safe!