Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,993 questions
Why is my Azure VM saying that I dont have hardware support for Meltdown and Spectre vulnerabilities?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 92%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Sas P
0
Reputation points
I have been investigating the vulnerability relating to "Windows Speculative Execution Configuration Check", which includes CVEs: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754, that has been highlighted on our Vulnerability scanner for all of our Azure cloud hosted servers.
When running the PowerShell Get-SpeculationControlSettings to check on current status, I see that hardware support for Mitigations are not present, although Microsoft have suggested that they have already applied mitigations for all their cloud infrastructure. Recommended actions include BIOS and Firmware updates, which are not applicable to Azure VMs.
Why are my servers showing that hardware is vulnerable when Microsoft have already applied mitigations to underlying hardware?
Should I ignore these vulnerabilities? (as these are Azure VMs, and Microsoft have made the necessary mitigations and remediation actions already, although they dont reflect on Azure VMs when running that PowerShell command)
Is there a separate PowerShell command specifically for Azure VMs that reflects that the host is a cloud hosted VM in Azure?
This is the output for one of the servers in question:
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: True
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware is vulnerable to rogue data cache load: True
Windows OS support for rogue data cache load mitigation is present: True
Windows OS support for rogue data cache load mitigation is enabled: False
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: False
Speculation control settings for CVE-2018-3639 [speculative store bypass]
Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass disable is present: False
Windows OS support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is enabled system-wide: False
Speculation control settings for CVE-2018-3620 [L1 terminal fault]
Hardware is vulnerable to L1 terminal fault: False
Speculation control settings for MDS [microarchitectural data sampling]
Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: True
Windows OS support for MDS mitigation is enabled: False
Speculation control settings for SBDR [shared buffers data read]
Windows OS support for SBDR mitigation is present: True
Hardware is vulnerable to SBDR: True
Windows OS support for SBDR mitigation is enabled: False
Speculation control settings for FBSDP [fill buffer stale data propagator]
Windows OS support for FBSDP mitigation is present: True
Hardware is vulnerable to FBSDP: True
Windows OS support for FBSDP mitigation is enabled: False
Speculation control settings for PSDP [primary stale data propagator]
Windows OS support for PSDP mitigation is present: True
Hardware is vulnerable to PSDP: True
Windows OS support for PSDP mitigation is enabled: False
Suggested actions
- Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
- Follow the guidance for enabling Windows Server support for speculation control mitigations described in https://support.microsoft.com/help/4072698
Thank you for your feedback on this
Sas
{count} votes
-
Prrudram-MSFT 25,321 Reputation points2024-08-23T13:42:14.77+00:00 Hello @Sas P
I understand your concern regarding the vulnerability relating to "Windows Speculative Execution Configuration Check" and the output of the PowerShell command "Get-SpeculationControlSettings" on your Azure VMs.
It is important to note that the output of the PowerShell command "Get-SpeculationControlSettings" is based on the hardware capabilities of the VM, and not the underlying hardware of the physical host. As Azure VMs are running on shared infrastructure, the underlying hardware is abstracted from the VMs, and the VMs are not directly exposed to the vulnerabilities.
Microsoft has already applied mitigations to the underlying hardware of the cloud infrastructure, including Azure, to protect against these vulnerabilities. As a result, you can safely ignore the output of the PowerShell command "Get-SpeculationControlSettings" on your Azure VMs.
There is no separate PowerShell command specifically for Azure VMs that reflects that the host is a cloud-hosted VM in Azure. However, you can refer to the Azure Security Center to get a comprehensive view of the security posture of your Azure environment, including your VMs.
I hope this helps to clarify the situation. Let me know if you have any other questions.
Sign in to comment
Sign in to answer