If you have not been living under a rock, you might have heard about Intel’s vulnerabilities called “Meltdown” and “Spectre”. In some cases, you may have to treat each vulnerability differently. There is a lot of information out there, so I thought I would collect some information to help people understand it.
If interested who discovered the bug, the bug was found by Security researchers at Cyberus Technology, Google, and the Graz University of Technology
Please see the below link from Googles security research team Project Zero.
To go into details of Meltdown and Spectre is, please see the below link from the Graz University of Technology.
Microsoft has released a patch to resolve certain aspects of the vulnerabilities. The patch was released in January 2018. First released was the operating system's patch but now you can also download the Internet Explorer, Edge and SQL patches. Details of the patches and vulnerabilities can be found here:
At the time of writing there is currently no patch for Windows Server 2008 and also Windows Server 2012.
Meltdown
For the vulnerability Meltdown, Microsoft had a lot of issues initially with the patch as they found a lot of the Anti-Virus programs making incorrect calls to the Kernel Memory. The initial testing found a lot of devices blue screening.
You can find information below:
As stated in the article you will need to check to see if you have the latest Anti-Virus software and that it is compatible with the patch. Otherwise, you will not get the update. Within WSUS or SCCM, it will say that the update is not required. You will also never get future updates as well! If you are using Microsoft products you are in luck as all their products are compatible.
“Windows Defender Antivirus, System Center Endpoint Protection, and Microsoft Security Essentials are compatible with the January 2018 security updates and have set the required registry key.”
For any third-party software you will need to check if the following key is set on a machine
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
Data="0x00000000”
Data="0x00000000”
If not ensure you have the latest Anti-Virus software. In some case, you could set the registry key, for example, Trend believes there are no issues and have to advise to set the key manually to get the update.
For Symantec, they have a bug which will create a new GUI every few seconds which will take a large percentage of your CPU usage and cause it to freeze. It happened to me it is not fun. There should be a patch by the 17th of January.
To find out if your anti-virus program is compatible and has set the registry please see Kevin Beaumont spreadsheet. Thanks Kev.
Spectre
Now to protect your servers from Spectre you will need to do the following:
- Apply the Windows operating system update.
- Make necessary configuration changes to enable protection.
- Apply an applicable firmware update from the OEM device manufacturer
Update
The updates that are required are:
Operating system version
|
Update KB
|
Windows Server, version 1709 (Server Core Installation)
|
|
Windows Server 2016
|
|
Windows Server 2012 R2
|
|
Windows Server 2012
|
Not available
|
Windows Server 2008 R2
|
|
Windows Server 2008
|
Not available
|
To enable protection you will need to run the following commands:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
Firmware
To update your firmware please see the following manufactures websites:
- Intel - https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html
- AMD - http://www.amd.com/en/corporate/speculative-execution
All the information from Microsoft can be found here:
Now there has been a lot of talk of performance derogation. This seems to be true just a quick search you can find some examples. Microsoft has acknowledged it:
Intel has completed some testing and shared their results:
Okay, this was a just quick post to help people in the right direction. Hopefully, this helps a few people understand what to do.
No comments:
Post a Comment