there were some work-around patching but ultimately the hardware vendors provided firmware updates to mitigate. So I'd check with the hardware vendor about this.
--please don't forget to upvote
and Accept as answer
if the reply is helpful--
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
We are running Windows 2016 VM's on ESXi 6.7 servers on Lenovo Hardware. We patch everything very often. Now we have a qualys agent scanning our VMS.
One of the items that pop up is the spectre meltdown issues.
I was sure this was not an issue anymore since we patch the Hypervisors and Windows and the hardware very often.I have upgraded the VM hardware version to 11.x and we have Patched the Lenovo servers firmware and Bios. However I cannot find what there is left to do.
When I run the powershell script this pops up. I have enabled all the registry items that I thought were applicable for me. But no success.
For more information about the output below, please refer to https://support.microsoft.com/help/4074629
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: True
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: False
Speculation control settings for CVE-2018-3639 [speculative store bypass]
Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is enabled system-wide: True
Speculation control settings for CVE-2018-3620 [L1 terminal fault]
Hardware is vulnerable to L1 terminal fault: False
Speculation control settings for MDS [microarchitectural data sampling]
Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: False
Suggested actions
BTIHardwarePresent : True
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : True
BTIDisabledByNoHardwareSupport : False
BTIKernelRetpolineEnabled : False
BTIKernelImportOptimizationEnabled : False
KVAShadowRequired : False
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : True
L1TFHardwareVulnerable : False
L1TFWindowsSupportPresent : True
L1TFWindowsSupportEnabled : False
L1TFInvalidPteBit : 0
L1DFlushSupported : True
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : False
MDSWindowsSupportEnabled : False
the agent comes with these messages:
Customers are advised to refer to ADV180012 for more details pertaining to this vulnerability.
Please refer to the section "Enabling protections on the server" from the Microsoft link for Server Operating systems, Microsoft link for Client Operating Systems for more details
Patch:
Following are links for downloading patches to fix the vulnerabilities:
and:
"Customers are advised to refer to ADV180002 for more details pertaining to this vulnerability.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
there were some work-around patching but ultimately the hardware vendors provided firmware updates to mitigate. So I'd check with the hardware vendor about this.
--please don't forget to upvote
and Accept as answer
if the reply is helpful--
I am checking some things out, I already used the registry fixes in your link. However Qualys uses different settings. I will have to wait for a new report.