The Meltdown/ Spectre shortcut blogpost for Windows, VMware and HPE
Change History
01-13-2018: Added information regarding VMSA-2018-0004 01-13-2018: HPE has pulled Gen8 and Gen9 system ROMs 01-13-2018: VMware has updated KB52345 due to issues with Intel microcode updates 01-18-2018: Updated VMware section 01-24-2018: Updated HPE section 01-28-2018: Updated Windows Client and Server section 02-08-2018: Updated VMware and HPE section 02-20-2018: Updated HPE section 04-17-2018: Updated HPE section
Many blog posts have been written about the two biggest security vulnerabilities discovered so far. In fact, we are talking about three different vulnerabilities:
- CVE-2017-5715 (branch target injection)
- CVE-2017-5753 (bounds check bypass)
- CVE-2017-5754 (rogue data cache load)
CVE-2017-5715 and CVE-2017-5753 are known as “Spectre”, CVE-2017-5754 is known as “Meltdown”. If you want to read more about these vulnerabilities, please visit meltdownattack.com.
Multiple steps are necessary to be protected, and all necessary information are often repeated, but were distributed over several websites, vendor websites, articles, blog posts or security announcements.
Two simple steps
Two (simple) steps are necessary to be protected against these vulnerabilities:
- Apply operating system updates
- Update the microcode (BIOS) of your server/ workstation/ laptop
If you use a hypervisor to virtualize guest operating systems, then you have to update your hypervisor as well. Just treat it like an ordinary operating system.
Sounds pretty simple, but it’s not. I will focus on three vendors in this blog post:
- Microsoft
- VMware
- HPE
Let’s start with Microsoft. Microsoft has published the security advisory ADV180002 on 01/03/2018.
Microsoft Windows (Client)
The necessary security updates are available for Windows 7 (SP1), Windows 8.1, and Windows 10. The January 2018 security updates are ONLY offered in one of theses cases (Source: Microsoft):
- An supported anti-virus application is installed
- Windows Defender Antivirus, System Center Endpoint Protection, or Microsoft Security Essentials is installed
- A registry key was added manually
To add this registry key, please execute this in an elevated CMD. Do not add this registry key, if you are running an unsupported antivirus application!! Please contact your antivirus application vendor! This key has to be added manually, only in case if NO antivirus application is installed, otherwise your antivirus application will add it!
reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat /f /v cadca5fe-87d3-4b96-b7fb-a231484277cc /t REG\_DWORD /d 0
OS | Update |
---|---|
Windows 10 (1709) | KB4056892 |
Windows 10 (1703) | KB4056891 |
Windows 10 (1607) | KB4056890 |
Windows 10 (1511) | KB4056888 |
Windows 10 (initial) | KB4056893 |
Windows 8.1 | KB4056898 |
Windows 7 SP1 | KB4056897 |
Please note, that you also need a microcode update! Reach out to your vendor. I was offered automatically to update the microcode on my Lenovo ThinkPad X250.
Update 01-28-2018
Microsoft has published an update to disable mitigation against Spectre (variant 2) (Source: Microsoft). KB4078130 is available for Windows 7 SP1, Windows 8.1 and Windows 10, and it disables the mitigation against Spectre Variant 2 (CVE 2017-5715) independently via registry setting changes. The registry changed are described in KB4073119.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG\_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG\_DWORD /d 1 /f
A reboot is required to disable the mitigation.
Windows Server
The necessary security updates are available for Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016 and Windows Server Core (1709). The security updates are NOT available for Windows Server 2008 and Server 2012!. The January 2018 security updates are ONLY offered in one of theses cases (Source: Microsoft):
- An supported anti-virus application is installed
- Windows Defender Antivirus, System Center Endpoint Protection, or Microsoft Security Essentials is installed
- A registry key was added manually
To add this registry key, please execute this in an elevated CMD. Do not add this registry key, if you are running an unsupported antivirus application!! Please contact your antivirus application vendor! This key has to be added manually, only in case if NO antivirus application is installed, otherwise your antivirus application will add it!
reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat /f /v cadca5fe-87d3-4b96-b7fb-a231484277cc /t REG\_DWORD /d 0
OS | Update |
---|---|
Windows Server, version 1709 (Server Core Installation) | KB4056892 |
Windows Server 2016 | KB4056890 |
Windows Server 2012 R2 | KB4056898 |
Windows Server 2008 R2 | KB4056897 |
After applying the security update, you have to enable the protection mechanism. This is different to Windows Windows 7, 8.1 or 10! To enable the protection mechanism, you have to add three registry keys:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
The easiest way to distribute these registry keys is a Group Policy. In addition to that, you need a microcode update from your server vendor.
Update 01-28-2018
The published update for Windows 7 SP1, 8.1 and 10 (KB4073119) is not available for Windows Server. But the same registry keys apply to Windows Server, so it is sufficient to change the already set registry keys to disable the mitigation against Spectre Variant 2 (CVE 2017-5715).
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 1 /f
A reboot is required to disable the mitigation.
VMware vSphere
VMware has published three important VMware Security Advisories (VMSA):
VMware Workstation Pro, Player, Fusion, Fusion Pro, and ESXi are affected by CVE-2017-5753 and CVE-2017-5715. VMware products seems to be not affected by CVE-2017-5754. On 09/01/2017, VMware has published VMSA-2018-0004, which also addresses CVE-2017-5715. Just to make this clear:
- Hypervisor-Specific Remediation (documented in VMSA-2018-0002.2)
- Hypervisor-Assisted Guest Remediation (documented in VMSA-2018-0004)
I will focus von vCenter and ESXi. In case of VMSA-2018-002, security updates are available for ESXi 5.5, 6.0 and 6.5. In case of VMSA-2018-0004, security updates are available for ESXi 5.5, 6.0, 6.5, and vCenter 5.5, 6.0 and 6.5. VMSA-2018-0007 covers VMware Virtual Appliance updates against side-channel analysis due to speculative execution.
Before you apply any security updates, please make sure that you read this:
- Deploy the updated version of vCenter listed in the table (only if vCenter is used).
- Deploy the ESXi security updates listed in the table.
- Ensure that your VMs are using Hardware Version 9 or higher. For best performance, Hardware Version 11 or higher is recommended.
For more information about Hardware versions, read VMware KB article 1010675.
VMSA-2018-0002.2
OS | Update |
---|---|
ESXi 6.5 | ESXi650-201712101-SG |
ESXi 6.0 | ESXi600-201711101-SG |
ESXi 5.5 | ESXi550-201709101-SG |
In case of ESXi550-201709101-SG it is important to know, that this patch mitigates CVE-2017-5715, but not CVE-2017-5753! Please see KB52345 for important information on ESXi microcode patches.
VMSA-2018-0004
OS | Update |
---|---|
ESXi 6.5 | ESXi650-201801401-BG, and ESXi650-201801402-BG |
ESXi 6.0 | ESXi600-201801401-BG, and ESXi600-201801402-BG |
ESXi 5.5 | ESXi550-201801401-BG |
vCenter 6.5 | 6.5 U1e |
vCenter 6.0 | 6.0 U3d |
vCenter 5.5 | 5.5 U3g |
The patches ESXi650-201801402-BG, ESXi 6.0 ESXi600-201801401-BG, and ESXi550-201801401-BG will patch the microcode for supported CPUs. And this is pretty interesting! To enable hardware support for branch target mitigation (CVE-2017-5715 aka Spectre) in vSphere, three steps are necessary (Source: VMware):
- Update to one of the above listed vCenter releases
- Update the ESXi 5.5, 6.0 or 6.5 with
- ESXi650-201801401-BG
- ESXi600-201801401-BG
- ESXi550-201801401-BG
- Apply microcode updates from your server vendor, OR apply these patches for ESXi
- ESXi650-201801402-BG
- ESXi600-201801402-BG
- ESXi550-201801401-BG
In case of ESXi 5.5, the hypervisor and microcode updates are delivered in a single update (ESXi550-201801401-BG).
Update 01-13-2018
Please take a look into KB52345 if you are using Intel Haswell and Broadwell CPUs! The KB article includes a table with affected CPUs.
All you have to do is:
- Update your vCenter to the latest update release, then
- Update your ESXi hosts with all available security updates
- Apply the necessary guest OS security updats and enable the protection (Windows Server)
For the required security updates:
Make sure that you also apply microcode updates from your server vendor!
VMSA-2018-0007
This VMSA, published on 08/02/2018, covers several VMware Virtual appliances. Relevant appliances are:
- vCloud Usage Meter (UM)
- Identity Manager (vIDM)
- vSphere Data Protection (VDP)
- vSphere Integrated Containers (VIC), and
- vRealize Automation (vRA)
Product | Patch pending? | Mitigation/ Workaround |
---|---|---|
UM 3.x | yes | KB52467 |
vIDM 2.x and 3.x | yes | KB52284 |
VDP 6.x | yes | NONE |
VIC 1.x | Update to 1.3.1 | |
vRA 6.x | yes | KB52497 |
vRA 7.x | yes | KB52377 |
HPE ProLiant
HPE has published a customer bulletin (document ID a00039267en_us) with all necessary information:
CVE-2017-5715 requires that the System ROM be updated and a vendor supplied operating system update be applied as well. For CVE-2017-5753, CVE-2017-5754 require only updates of a vendor supplied operating system.
Update 01-13-2018
The following System ROMs were previously available but have since been removed from the HPE Support Site due to the issues Intel reported with the microcode updates included in them. Updated revisions of the System ROMs for these platforms will be made available after Intel provides updated microcodes with a resolution for these issues.
Update 01-24-2018
HPE will be releasing updated System ROMs for ProLiant and Synergy Gen10, Gen9, and Gen8 servers including updated microcodes that, along with an OS update, mitigate Variant 2 (Spectre) of this issue. Note that processor vendors have NOT released updated microcodes for numerous processors which gates HPE’s ability to release updated System ROMs.
I will update this blog post as soon as HPE releases new system ROMs.
For most Gen9 and Gen10 models, updated system ROMs are already available. Check the bulletin for the current list of servers, for which updated system ROMs are available. Please note that you don’t need a valid support contract to download this updates!
Under Software Type, select “BIOS-(Entitlement Required”) - (Note that Entitlement is NOT required to download these firmware versions.
Update 02-09-2018
Nothing new. HPE has updates the bulletin on 31-01-2018 with an updated timeline for new system ROMs.
Update 02-25-2018
HPE hast published Gen10 system ROMs. Check the advisory: HPE ProLiant, Moonshot and Synergy Servers - Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754).
Update 04-17-2018
HPE finally published updated System ROMS for several Gen10, Gen9, Gen8, G7 and even G6 models, which also includes bread-and-butter servers like the ProLiant DL360 G6 to Gen10, and DL380 G6 to Gen10.
If you are running Windows on your ProLiant, you can use the online ROM flash component for Windows x64. If you are running VMware ESXi, you can use the systems ROMPaq firmware upgrade for for USB key media.