Since Spectre and Meltdown were discovered in 2018, other side channel vulnerabilities have emerged. These are the mitigations to consider for each of them. Credit: Project Zero In January 2018, security news media was abuzz over a new class of vulnerability called side channel vulnerabilities. Spectre, Meltdown and Foreshadow are some of the best known. They exploit weaknesses in speculative execution in microprocessors to leak unauthorized information. Side channel vulnerabilities allow attackers to bypass account permissions, virtualization boundaries and protected memory regions.Patching these vulnerabilities is not easy. They are mitigated by a combination of patches from both the chipset vendor and the operating system provider. Worse, there is often a noticeable performance hit after installing these updates. Because of this, many of the updates can be disabled selectively. In fact, many of these updates are not enabled by default on servers, whereas they are on workstations. The theory is that you are willing to suffer a bit of performance impact on workstations whereas you wouldn’t be as willing to do so on a server.I find that I need to review the patching status of whatever latest side channel vulnerability has come out. Recently the NSA provided updated guidance for the current state of these vulnerabilities that also pointed to an excellent recap on the GitHub site.What are the side channel vulnerabilities?In January 2018, the first two side channel vulnerabilities came out: Spectre (CVE-2017-5715, CVE-2017-5753, CVE-2018-3639 and CVE-2018-3665): Variants in this category include SpectreNG, SpectreRSB, Spectre Prime and Spectre.Meltdown (CVE-2017-5754 and CVE-2018-3640): Variants in this category include Meltdown Prime, Total Meltdown and Meltdown.Since then the following variants have emerged:Foreshadow (CVE-2018-3615, CVE-2018-3620 and CVE-2018-3646): Variants in this category include SGXpectre and the L1 terminal fault and cache overrun.BranchScope (CVE-2018-9056): This vulnerability targets the Branch Prediction Units (BPUs) that handle speculation when branching instructions, such as a conditional, are encountered.TLBleed: The vulnerability requires a processor that feeds multiple execution threads to a single processing core. Intel brands this technology Hyper Threading, and AMD uses the term Simultaneous Multi-Threading (SMT). As noted on GitHub, “Processor vendors view the fault as a problem with obsolete third-party development libraries that are not thread-safe. As a result, no CVE has been issued.”PortSmash (CVE-2018-5407): This vulnerability enables attacks against cryptographic functions where entropy can be observed or stealthily mirrored.NetSpectre (no CVE issued): An attack using NetSpectre does not require local code execution on a target system. However, the good news is that the attack would take such a long time to execute that it’s not deemed to be viable.Firmware vulnerabilities: These include LoJax, which makes malicious modification to the anti-theft solution known as Computrace or LoJack, and several AMD flaws due to debug features left enabled for use in advanced system tweaking common in the overclocking and gaming communities.What Windows fixes are available for side channel vulnerabilities?Windows servers in particular need specific guidance as most of the protections are not enabled by default. To enable fixes for just CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown) add the following registry keys: reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /freg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /freg add "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionVirtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /fIf you have an AMD chip machine, you need to add these registry keys:reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /freg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f reg add "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionVirtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /fIf you want to enable fixes for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown), add these registry keys:reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /freg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f reg add "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionVirtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /fFor AMD machines the registry keys for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown) are:reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /freg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /freg add "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionVirtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /fWindows Server 2019 handles the L1TF vulnerability differently than Server 2016. Once you have installed updates on Server 2019, the L1TF fixes are enabled by default. Protection for CVE-2018-3620 builds on the mitigation for CVE-2017-5754 (Meltdown). When the mitigation for CVE-2017-5754 is enabled, Windows automatically enables protection for CVE-2018-3620. The mitigation for CVE-2017-5754 is enabled by default on Windows Server 2019 and disabled by default on Windows Server 2016 and earlier versions.To confirm that you have enabled the fixes on Server 2016 or Server 2019, use PowerShell to test: PS> Install-Module SpeculationControl MicrosoftEnable the SpeculationControl moduleRun the PowerShell module to verify that protections are enabled:PS> # Save the current execution policy so it can be reset PS> $SaveExecutionPolicy = Get-ExecutionPolicy PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser PS> Import-Module SpeculationControl PS> Get-SpeculationControlSettings PS> # Reset the execution policy to the original state PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope CurrentuserAs you can see in this sample Server 2016 installed in HyperV, several protections are not enabled: MicrosoftCheck for patching statusYou may need to scroll down to view the remainder of the recommendations: MicrosoftView recommendationsNote that if you use SQL Server, you should follow additional guidance. However, you may need to review if the fixes impact performance. For older versions of Server 2012 R2 and earlier, you will need to download the TechNet gallery script to test these earlier platforms.Bottom line: Balance your consideration of risks of these attacks to the performance hit. You may decide not to enable all these protections. I am not aware of any active attacks using these vulnerabilities, review your situation and determine if you want to accept the risk or enable all of the protections. You may find that your environment is not negatively impacted by these fixes, especially if you have devices and firewalls at the border that can keep track of and alert you to any attacks using these technologies. Related content feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry Technology Industry Technology Industry news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware news Okta confirms recent hack affected all customers within the affected system Contrary to its earlier analysis, Okta has confirmed that all of its customer support system users are affected by the recent security incident. By Shweta Sharma Nov 30, 2023 3 mins Data Breach news Top cybersecurity product news of the week New product and service announcements from Wiz, Palo Alto Networks, Sophos, SecureAuth, Kasada, Lacework, Cycode, and more. By CSO staff Nov 30, 2023 17 mins Generative AI Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe