How to update your Spectre, Meltdown mitigations for the Retpoline mitigation

The Spectre and Meltdown vulnerabilities discovered in January 2018 showed that weaknesses in CPUs were a potential attack vector. They allow a rogue process to read memory without authorization. Patches were rolled out along with bios updates from the manufacturer, but they came with a costly side effect: They degraded performance, especially on systems with older CPUs. Microsoft enabled the protections by default on workstations, but not on server platforms.

Intel came up with a new methodology called “Retpoline.” The mitigation technique “is resistant to exploitation and has attractive performance properties compared to other mitigations.” In the May 14, 2019 (and later) updates for Windows 10 1809 and Server 2019 (and newer), Retpoline is enabled by default on supported devices. As Microsoft notes, if the following conditions are met, then the new, less impactful performance patching is enabled:

• Spectre, variant 2 (CVE-2017-5715) mitigation is enabled.
• For client SKUs, Spectre variant 2 mitigation is enabled by default.
• For server SKUs, Spectre variant 2 mitigation is disabled by default. To realize the benefits of Retpoline, admins can enable it on servers following this guidance.
• Supported microcode/firmware updates are applied to the machine.

Windows patches alone won’t enable these new protections. You must also have the necessary firmware from the OEM manufacturer.

Windows update mitigates MDS attacks

Also mitigated in the May updates is a new security vulnerability called microarchitectural data sampling (MDS). These vulnerabilities impact only Intel CPUs and allow attackers to eavesdrop on the information that the chip passes to other components. Attackers can exploit MDS to get around the security boundaries set by virtual machine hypervisors, OS kernels, and SGX enclaves. The CVE numbers assigned to these vulnerabilities include:

• CVE-2018-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
• CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
• CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
• CVE-2018-12130: Microarchitectural Load Port Data Sampling (MLPDS)

Once again, the protections for MDS come from a combination of operating system and firmware updates. You may need to determine if Intel has released a firmware update for your CPU. For systems with older processors that can’t receive protect, determine if these machines need to be processing any sensitive information.

Then you will need to decide if you will enable protections. Due to performance hits, Microsoft has enabled the protection on workstations by default, but left the decision up to you on server platforms. To enable these protections (or disable them) on workstations, follow the guidance provided by Microsoft in KB4073119. To enable these protections on Windows Server platforms, follow the guidance in KB4072698.  You may need to review various tech sites as to the tested performance hits after the patches have been installed.

Once you’ve installed the updates, download the updated PowerShell module that allows you to confirm you are protected. Download the updated PowerShell module as noted in the instructions from the PowerShellGallery. If you have previously installed the PowerShell module, you need to use the command Install-Module -Name SpeculationControl -Force to update the PowerShell module.

Susan Bradley

Once you’ve installed the module, follow the guidance from Github. Run the command Get-SpeculationControlSettings to confirm your system is protected. In my sample case, I clearly need to enable the protections via the registry:

Susan Bradley

Scroll down to the bottom of the report for the recap of what protections are and are not enabled.

Susan Bradley

Make the following registry settings to enable these MDS protections: (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130. You can also use these settings for Spectre (CVE-2017-5753 and CVE-2017-5715), Meltdown (CVE-2017-5754), and variants including Speculative Store Bypass Disable (SSBD) (CVE-2018-3639) and L1 Terminal Fault (L1TF) (CVE-2018-3615, CVE-2018-3620 and CVE-2018-3646) without disabling hyper-threading:

reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionVirtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If the system is a Hyper-V host and the firmware updates have been applied, fully shut down all virtual machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they’re restarted. Restart the computer for the changes to take effect.

To enable mitigations with hyber-threading disabled for MDS (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130), Spectre (CVE-2017-5753 and CVE-2017-5715), Meltdown (CVE-2017-5754), and variants including SSBD (CVE-2018-3639) and L1TF (CVE-2018-3615, CVE-2018-3620 and CVE-2018-3646):

reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f

reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionVirtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied, fully shut down all VMs. This enables the firmware-related mitigation to be applied on the host before the VMs are started. The VMs are also updated when they’re restarted. Restart the computer for the changes to take effect.

To disable mitigations for MDS (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130), Spectre (CVE-2017-5753 and CVE-2017-5715), Meltdown (CVE-2017-5754), and variants including SSBD (CVE-2018-3639)  and L1TF (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646):

reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

Bottom line: Review your systems. Determine if you are at high risk for these types of silent attacks and take action to protect your systems from these silent attackers.