Partager via


[Cross-Post] Intel/AMD/ARM CPU firmware vulnerability–“Speculative execution side-channel vulnerabilities” (Kernel Page Table Isolation (KPTI)).

CVE-2017-5753: bounds check bypass
CVE-2017-5715: branch target injection
CVE-2017-5754: rogue data cache load

“Speculative execution side-channel vulnerabilities” that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass

        Note:  Also known as “Kernel Page Table Isolation” (KPTI)) vulnerability.

        Note 2:  Also known as “Meltdown attack”

        Note 3:  Also known as “Spectre attack”

Register’s Intel story from Jan. 3rd, 2018.

What’s impacted?  They affect the different hardware of multiple vendors across the industry

  • Intel
  • AMD
  • ARM

                 Meltdown https://meltdownattack.com/

                 Meltdown impacts only Intel*

                             Note:  * As of now.

                Spectre https://spectreattack.com/

                Spectre impacts Intel, AMD, and ARM.

Thus the software running on top (Windows, Linux, Android, Chrome, IOS, Mac OS).

Intel Corp. has released the following announcement:

Intel Responds to Security Research Findings

https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

US Cert has released the following announcement:

· US Cert. Notification

AMD Corp. has released the following announcement:

An Update on AMD Processor Security
https://www.amd.com/en/corporate/speculative-execution

[PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors
https://lkml.org/lkml/2017/12/27/2

For a list of the announcement by hardware vendors, check out Chris Mill's (Security PM) blog site:

https://aka.ms/spectre-cpu

Microsoft Security Advisory:

ADV180002 | Vulnerability in CPU Microcode Could Allow Information Disclosure

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

Microsoft Azure’s announcement:

Securing Azure customers from CPU vulnerability

https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/

4073235 Microsoft Cloud Protections Against Speculative Execution

https://support.microsoft.com/en-us/help/4073235/cloud-protections-speculative-execution-side-channel-vulnerabilities

Microsoft Windows and Windows Server related information:

4072699 Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software
https://support.microsoft.com/?id=4072699

For a list of the announcement by AV vendors, check out Chris Mill's (Security PM) site:

https://aka.ms/spectre-cpu

4073229 Protecting your device against chip-related security vulnerabilities
https://support.microsoft.com/?id=4073229

4073707 Windows operating system security update block for some AMD based devices

https://support.microsoft.com/?id=4073707

4073119 Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
https://support.microsoft.com/?id=4073119

4072698 Windows Server Guidance to protect against the speculative execution side-channel vulnerabilities
https://support.microsoft.com/?id=4072698

4073225 SQL Server Guidance to protect against speculative execution side-channel vulnerabilities
https://support.microsoft.com/?id=4073225 

Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems

https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

Summary:  5 steps:

  1. Apply CPU microcode (firmware) update from the OEM hardware manufacturer.
  2. Check with your AV vendor for antivirus compatibility before installing "Windows Update".

                 Note:  Windows Defender Antivirus and SCEP are compatible.

             3. Install "Windows Updates" from January 3rd, 2018.

             4.  Windows Server OS need to enable software mitigations.

  • reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
  • reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

             5.  On Hyper-V hosts, you will need shutdown (live migrate off) the Guest VM’s and add the following registry key on the Hyper-V Host:

  • reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

FAQ:

Q:  Does the Host need to be patched first?  Or is it ok to patch the VM first?

A:  For the Windows patches, the order doesn't matter.

Q:  What does the following registry MinVmVersionForCpuBasedMitigations do?

A:  MinVmVersionForCpuBasedMitigations is "minimum VM version that needs access to the updated firmware capabilities"

     Source:
      Protecting guest virtual machines from CVE-2017-5715 (branch target injection)
      /en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms

Surface hardware related information:

4073065 Surface Guidance for Customers and Partners: Protect your devices against the recent chip-related security vulnerability
https://support.microsoft.com/?id=4073065

The Windows and Windows Server related hotfixes are available here:

https://www.catalog.update.microsoft.com/Search.aspx?q=2018-01

Windows 10 1709 and Windows Server 1709 (a.k.a. Fall’s Creators update, codename RS3):

4056892 January 3, 2018—KB4056892 (OS Build 16299.192)

2018-01 Update for Windows 10 Version 1709 (KB4058702)

https://support.microsoft.com/?id=4056892

Windows 10 1703 and Windows Server 1703 (a.k.a. Creators update, codename RS2):

4056891 January 3, 2018—KB4056891 (OS Build 15063.850)

https://support.microsoft.com/?id=4056891

Windows 10 version 1607 and Windows Server 2016 (a.k.a. Anniversary edition, codename RS1):

4056890 January 3, 2018—KB4056890 (OS Build 14393.2007)

https://support.microsoft.com/?id=4056890

Windows 10 version 1511 (a.k.a. November update, codename TH2):

4056888 January 3, 2018—KB4056888 (OS Build 10586.1356)

2018-01 Cumulative Update for Windows 10 Version 1511 (KB4056888)

https://support.microsoft.com/?id=4056888

Windows 10 version 1507 (a.k.a. RTM, codename TH1):

4056893 January 3, 2018—KB4056893 (OS Build 10240.17738)

2018-01 Cumulative Update for Windows 10 Version 1507 (KB4056893)

https://support.microsoft.com/?id=4056893

Windows 8.1 and Windows Server 2012 R2:

January 3, 2018—KB4056898 (Security-only update)

2018-01 Security Only Quality Update for Windows Server 2012 R2  (KB4056898)

https://support.microsoft.com/?id=4056898

Windows 7 SP1 and Windows Server 2008 R2:

4056897 January 3, 2018—KB4056897 (Security-only update)

2018-01 Security Only Quality Update for Windows Server 2008 R2 (KB4056897)

https://support.microsoft.com/?id=4056897

My PFE peers:

  • Ralph Kyttle wrote the following PoSh (Powershell) DSM:

Verifying Spectre / Meltdown protections remotely
https://blogs.technet.microsoft.com/ralphkyttle/2018/01/05/verifying-spectre-meltdown-protections-remotely/

  • Ken Wygant wrote and shared the following SCCM DCM baseline and it’s available for download here:

https://twitter.com/pfeken/status/950378010837995520

has been replaced with:

Speculation Execution Side-Channel Vulnerabilities Configuration Baseline
https://gallery.technet.microsoft.com/Speculation-Execution-Side-1483f621 

h.t.h.,

Yong

P.S.  The other ISV’s impacted by the issue:

Google’s announcement:

Today's CPU vulnerability: what you need to know

AWS’s announcement:
Processor Speculative Execution Research Disclosure

Redhat’s announcement:
Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

     Speculative Execution Exploit Performance Impacts - Describing the performance impacts to security patches for CVE-2017-5754 CVE-2017-5753 and CVE-2017-5715

Ubuntu’s announcement:

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

Suse’s announcement:

https://www.suse.com/support/kb/doc/?id=7022512

CoreOS:

https://twitter.com/CoreOSsecurity/status/948790591898361857

VMWare’s announcement:

https://blogs.vmware.com/security