How to update Windows 10 for side channel vulnerability fixes

In January 2018, security news media was abuzz over a new class of vulnerability called side channel vulnerabilities. Spectre, Meltdown and Foreshadow are some of the best known. They exploit weaknesses in speculative execution in microprocessors to leak unauthorized information. Side channel vulnerabilities allow attackers to bypass account permissions, virtualization boundaries and protected memory regions.

Patching these vulnerabilities is not easy. They are mitigated by a combination of patches from both the chipset vendor and the operating system provider. Worse, there is often a noticeable performance hit after installing these updates. Because of this, many of the updates can be disabled selectively. In fact, many of these updates are not enabled by default on servers, whereas they are on workstations. The theory is that you are willing to suffer a bit of performance impact on workstations whereas you wouldn’t be as willing to do so on a server.

I find that I need to review the patching status of whatever latest side channel vulnerability has come out. Recently the NSA provided updated guidance for the current state of these vulnerabilities that also pointed to an excellent recap on the GitHub site.

What are the side channel vulnerabilities?

In January 2018, the first two side channel vulnerabilities came out:

• Spectre (CVE-2017-5715, CVE-2017-5753, CVE-2018-3639 and CVE-2018-3665): Variants in this category include SpectreNG, SpectreRSB, Spectre Prime and Spectre.

• Meltdown (CVE-2017-5754 and CVE-2018-3640): Variants in this category include Meltdown Prime, Total Meltdown and Meltdown.

Since then the following variants have emerged:

• Foreshadow (CVE-2018-3615, CVE-2018-3620 and CVE-2018-3646): Variants in this category include SGXpectre and the L1 terminal fault and cache overrun.
• BranchScope (CVE-2018-9056): This vulnerability targets the Branch Prediction Units (BPUs) that handle speculation when branching instructions, such as a conditional, are encountered.
• TLBleed: The vulnerability requires a processor that feeds multiple execution threads to a single processing core. Intel brands this technology Hyper Threading, and AMD uses the term Simultaneous Multi-Threading (SMT). As noted on GitHub, “Processor vendors view the fault as a problem with obsolete third-party development libraries that are not thread-safe. As a result, no CVE has been issued.”
• PortSmash (CVE-2018-5407): This vulnerability enables attacks against cryptographic functions where entropy can be observed or stealthily mirrored.
• NetSpectre (no CVE issued): An attack using NetSpectre does not require local code execution on a target system. However, the good news is that the attack would take such a long time to execute that it’s not deemed to be viable.
• Firmware vulnerabilities: These include LoJax, which makes malicious modification to the anti-theft solution known as Computrace or LoJack, and several AMD flaws due to debug features left enabled for use in advanced system tweaking common in the overclocking and gaming communities.

What Windows fixes are available for side channel vulnerabilities?

Windows servers in particular need specific guidance as most of the protections are not enabled by default. To enable fixes for just CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown) add the following registry keys:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If you have an AMD chip machine, you need to add these registry keys:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If you want to enable fixes for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown), add these registry keys:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

For AMD machines the registry keys for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown) are:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

Windows Server 2019 handles the L1TF vulnerability differently than Server 2016. Once you have installed updates on Server 2019, the L1TF fixes are enabled by default. Protection for CVE-2018-3620 builds on the mitigation for CVE-2017-5754 (Meltdown). When the mitigation for CVE-2017-5754 is enabled, Windows automatically enables protection for CVE-2018-3620. The mitigation for CVE-2017-5754 is enabled by default on Windows Server 2019 and disabled by default on Windows Server 2016 and earlier versions.

To confirm that you have enabled the fixes on Server 2016 or Server 2019, use PowerShell to test: PS> Install-Module SpeculationControl

Microsoft

Run the PowerShell module to verify that protections are enabled:

PS> # Save the current execution policy so it can be reset
PS> $SaveExecutionPolicy = Get-ExecutionPolicy
PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser
PS> Import-Module SpeculationControl
PS> Get-SpeculationControlSettings
PS> # Reset the execution policy to the original state
PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser

As you can see in this sample Server 2016 installed in HyperV, several protections are not enabled:

Microsoft

You may need to scroll down to view the remainder of the recommendations:

Microsoft

Note that if you use SQL Server, you should follow additional guidance. However, you may need to review if the fixes impact performance. For older versions of Server 2012 R2 and earlier, you will need to download the TechNet gallery script to test these earlier platforms.

Bottom line: Balance your consideration of risks of these attacks to the performance hit. You may decide not to enable all these protections. I am not aware of any active attacks using these vulnerabilities, review your situation and determine if you want to accept the risk or enable all of the protections. You may find that your environment is not negatively impacted by these fixes, especially if you have devices and firewalls at the border that can keep track of and alert you to any attacks using these technologies.