Windows Server guidance to protect against speculative execution side-channel vulnerabilities



Summary

Microsoft is aware of a new publicly disclosed class of vulnerabilities that are referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM.

Note This issue also affects other systems, such as Android, Chrome, iOS, and MacOS, so we advise customers to seek guidance from those vendors.

Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more information.

Microsoft has not yet received any information to indicate that these vulnerabilities have been used to attack customers. Microsoft continues working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software as well.

This advisory addresses the following vulnerabilities:

  • CVE-2017-5715 (branch target injection)
  • CVE-2017-5753 (bounds check bypass)
  • CVE-2017-5754 (rogue data cache load)

To learn more about this class of vulnerabilities, see ADV180002.

Overview

The following sections will help you identify, mitigate, and remedy Windows Server environments that are affected by the vulnerabilities identified in Microsoft Security Advisory ADV180002 on how to enable the update for your systems.

To address these issues, Microsoft is working with the hardware industry to develop mitigations and guidance.

Recommended actions

Customers should take the following actions to help protect against the vulnerabilities:

  • Apply the Windows operating system update. For details on how to enable this update, see Microsoft Knowledge Base Article 4072699.
  • Make necessary configuration changes to enable protection.
  • Apply an applicable firmware update from the OEM device manufacturer.

    Important Customers who only install the Windows update will not receive the benefit of all known protections.

Windows Servers-based machines (physical or virtual) should get the Windows security updates that were released on January 3, 2018, and are available from Windows Update. The following updates are available:

Operating system version Update KB
Windows Server, version 1709 (Server Core Installation) 4056892
Windows Server 2016 4056890
Windows Server 2012 R2 4056898
Windows Server 2012 Not available
Windows Server 2008 R2 4056897
Windows Server 2008 Not available

In addition to installing the January security update, a processor microcode update is required. This should be available through your OEM.

Enabling protections on server

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 - How to back up and restore the registry in Windows

Customers need to enable mitigations to help protect against speculative execution side-channel vulnerabilities.

Enabling these mitigations may affect performance. The actual performance impact will depend on multiple factors, such as the specific chipset in your physical host and the workloads that are running. Microsoft recommends that customers assess the performance impact for their environment and make necessary adjustments.

Your server is at increased risk if it is in one of the following categories:

  • Hyper-V hosts
  • Remote Desktop Services Hosts (RDSH)
  • For physical hosts or virtual machines that are running untrusted code such as containers or untrusted extensions for database, untrusted web content or workloads that run code that is provided from external sources.

Use these registry keys to enable the mitigations on server:

Switch | registry settings
To enable the mitigations
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

To disable the mitigations
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Verifying protections are enabled

To help confirm whether protections have been enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands:

PowerShell Verification
Temporarily set PowerShell script execution policy
PS> Set-ExecutionPolicy Unrestricted -Scope Process -Force

Install the PowerShell module

PS > Install-Module SpeculationControl -Force

Run the PowerShell module to validate protections are enabled
PS > Get-SpeculationControlSettings

The output of this PowerShell script will look like the following. Enabled protections will show in the output as “True”.

Code:
PS C:\> Get-SpeculationControlSettings
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True
 
Speculation control settings for CVE-2017-5754 [rogue data cache load]
 
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID optimization is enabled: True
Click image for larger version. 

Name:	PowerShell_verification.png 
Views:	0 
Size:	70.3 KB 
ID:	171039

Additional information

Q1: I wasn’t offered the Windows security updates that were released on January 3, 2018. What should I do?
A1: To help avoid adversely affecting customer devices, the Windows security updates that were released on January 3, 2018, have not been offered to all customers. For details, see Microsoft Knowledge Base Article 4073225.

Q2: How can I tell if I have the right version of the CPU microcode?
A2: The microcode is delivered through a firmware update. Consult with your OEM about the firmware version that has the appropriate update for your CPU.

Q3: Why aren't Windows Server 2008 and Windows Server 2012 platforms getting an update? When can customers expect the fix?
A3: Addressing a hardware vulnerability through a software update presents significant challenges, and mitigations for older operating systems require extensive architectural changes. Microsoft continues to work with affected chip manufacturers to investigate the best way to provide mitigations.

Q4: What is the performance impact for the mitigations?
A4: There are multiple variables that affect the performance of these mitigations, ranging from the CPU version to the running workloads. In some systems, the performance impact will be negligible, and in others it will be considerable.

Microsoft recommends that customers assess the performance impact for their systems and make adjustments if necessary.

Q5: I am running Windows Server in a third-party hosted environment or cloud. What should I do?
A5: In addition to the guidance above to address virtual machines, you need to contact your service provider to make sure that the hosts that are running your virtual machines are adequately protected.

For Windows Server virtual machines running in Azure, see Microsoft Knowledge Base Article 4073235.

Q6: Are there any Windows Server container-specific guidelines?
A6: The January update for Windows Server container images for Windows Server 2016 and Windows Server 10, version 1709 include the mitigations for this set of vulnerabilities, and no additional configuration is required.

Note that you still need to make sure that the host where these containers are running is configured with the appropriate mitigations.

Q7: Do the software and hardware updates have to be installed in a particular order?
A7: No, the installation order doesn't matter.

Q8: Do I need to reboot after the microcode but before the OS update?
A8: Yes, you must reboot between the microcode and OS updates.


Source: https://support.microsoft.com/en-us/...tive-execution