[Cross-Post] Intel/AMD/ARM CPU firmware vulnerability–“Speculative execution side-channel vulnerabilities” (Kernel Page Table Isolation (KPTI)).
CVE-2017-5753: bounds check bypass
CVE-2017-5715: branch target injection
CVE-2017-5754: rogue data cache load
“Speculative execution side-channel vulnerabilities” that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass
Note: Also known as “Kernel Page Table Isolation” (KPTI)) vulnerability.
Note 2: Also known as “Meltdown attack”
Note 3: Also known as “Spectre attack”
Register’s Intel story from Jan. 3rd, 2018.
What’s impacted? They affect the different hardware of multiple vendors across the industry
Meltdown impacts only Intel*
Note: * As of now.
Spectre impacts Intel, AMD, and ARM.
Thus the software running on top (Windows, Linux, Android, Chrome, IOS, Mac OS).
Intel Corp. has released the following announcement:
Intel Responds to Security Research Findings
US Cert has released the following announcement:
AMD Corp. has released the following announcement:
An Update on AMD Processor Security
[PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors
For a list of the announcement by hardware vendors, check out Chris Mill's (Security PM) blog site:
Microsoft Security Advisory:
ADV180002 | Vulnerability in CPU Microcode Could Allow Information Disclosure
Microsoft Azure’s announcement:
Securing Azure customers from CPU vulnerability
Microsoft Windows and Windows Server related information:
4072699 Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software
For a list of the announcement by AV vendors, check out Chris Mill's (Security PM) site:
4073229 Protecting your device against chip-related security vulnerabilities
4073707 Windows operating system security update block for some AMD based devices
4073119 Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
4072698 Windows Server Guidance to protect against the speculative execution side-channel vulnerabilities
4073225 SQL Server Guidance to protect against speculative execution side-channel vulnerabilities
Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems
Summary: 5 steps:
- Apply CPU microcode (firmware) update from the OEM hardware manufacturer.
- Check with your AV vendor for antivirus compatibility before installing "Windows Update".
Note: Windows Defender Antivirus and SCEP are compatible.
3. Install "Windows Updates" from January 3rd, 2018.
4. Windows Server OS need to enable software mitigations.
- reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
- reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
5. On Hyper-V hosts, you will need shutdown (live migrate off) the Guest VM’s and add the following registry key on the Hyper-V Host:
- reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
Q: Does the Host need to be patched first? Or is it ok to patch the VM first?
A: For the Windows patches, the order doesn't matter.
Q: What does the following registry MinVmVersionForCpuBasedMitigations do?
A: MinVmVersionForCpuBasedMitigations is "minimum VM version that needs access to the updated firmware capabilities"
Protecting guest virtual machines from CVE-2017-5715 (branch target injection)
Surface hardware related information:
4073065 Surface Guidance for Customers and Partners: Protect your devices against the recent chip-related security vulnerability
The Windows and Windows Server related hotfixes are available here:
Windows 10 1709 and Windows Server 1709 (a.k.a. Fall’s Creators update, codename RS3):
4056892 January 3, 2018—KB4056892 (OS Build 16299.192)
2018-01 Update for Windows 10 Version 1709 (KB4058702)
Windows 10 1703 and Windows Server 1703 (a.k.a. Creators update, codename RS2):
4056891 January 3, 2018—KB4056891 (OS Build 15063.850)
Windows 10 version 1607 and Windows Server 2016 (a.k.a. Anniversary edition, codename RS1):
4056890 January 3, 2018—KB4056890 (OS Build 14393.2007)
Windows 10 version 1511 (a.k.a. November update, codename TH2):
4056888 January 3, 2018—KB4056888 (OS Build 10586.1356)
2018-01 Cumulative Update for Windows 10 Version 1511 (KB4056888)
Windows 10 version 1507 (a.k.a. RTM, codename TH1):
4056893 January 3, 2018—KB4056893 (OS Build 10240.17738)
2018-01 Cumulative Update for Windows 10 Version 1507 (KB4056893)
Windows 8.1 and Windows Server 2012 R2:
January 3, 2018—KB4056898 (Security-only update)
2018-01 Security Only Quality Update for Windows Server 2012 R2 (KB4056898)
Windows 7 SP1 and Windows Server 2008 R2:
4056897 January 3, 2018—KB4056897 (Security-only update)
2018-01 Security Only Quality Update for Windows Server 2008 R2 (KB4056897)
My PFE peers:
- Ralph Kyttle wrote the following PoSh (Powershell) DSM:
Verifying Spectre / Meltdown protections remotely
Ken Wygant wrote and shared the following SCCM DCM baseline and it’s available for download here:
has been replaced with:
Speculation Execution Side-Channel Vulnerabilities Configuration Baseline
P.S. The other ISV’s impacted by the issue:
Processor Speculative Execution Research Disclosure
Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715