4

I have installed the patch released today as detailed here and then set the two registry keys as mentioned:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

However, when I run the provided PowerShell module to check, it is informing me the mitigations are still not enabled:

PS C:\Users\Administrator> get-speculationcontrolsettings
Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is enabled: False

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: False
Windows OS support for kernel VA shadow is enabled: False

Suggested actions

 * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
 * Install the latest available updates for Windows with support for speculation control mitigations.
 * Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698


BTIHardwarePresent             : False
BTIWindowsSupportPresent       : False
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : False
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired              : True
KVAShadowWindowsSupportPresent : False
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled           : False

Why is this? What else do I have to do? I have rebooted the server for good measure with no improvement.

Update after answer from @Paul:

I've now installed the correct update (wally), and this is the output of the PowerShell cmdlet:

PS C:\Users\Administrator> get-speculationcontrolsettings
Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: True
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: False

Suggested actions

 * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
 * Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698


BTIHardwarePresent             : False
BTIWindowsSupportPresent       : True
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : True
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired              : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled           : False

Is this everything I can do pending a microcode update?

Darren
  • 311
  • 3
  • 4
  • 13
  • Just out of curiosity: You have "Windows OS support for branch target injection mitigation is disabled by system policy: True", which is IMHO a bad thing. I have it with "False", which is IMHO a good thing. But my output line is red (thus indicating "bad"). What colour is your "True" line displayed as? – Hagen von Eitzen Jan 06 '18 at 17:50
  • @HagenvonEitzen, mine is also red. No idea how to change the policy to allow it though. – Darren Jan 09 '18 at 10:38

6 Answers6

5

Firstly the above output is saying that the required windows patch has not been installed:

Speculation control settings for CVE-2017-5715 [branch target injection]

Windows OS support for branch target injection mitigation is present: False

and

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Windows OS support for kernel VA shadow is present: False

Is your AV preventing it? - see here

Secondly CVE-2017-5715 will also require a CPU Microcode update which means a BIOS update when/if it becomes available. Intel have apparently released the code but it's down to OEMs to provide updated BIOS's that incorporate it and that may take a while.

All you can do right now is install the Windows patch. Once the correct patch is installed you should be covered for Meltdown but will still need a subsequent BIOS update to fully cover off Spectre.

FYI here is the output for my (patched) windows 10 system:

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: False

You will note that for CVE-2017-5715 it shows that the patch is installed but not enabled due to "absence of hardware support" i.e. the microcode update.

You will also note that for CVE-2017-5754 it simply says that it's not required - this is because I'm running on an AMD CPU.

As for your side note, I can't say for sure without testing but if you look closely, for disable the FeatureSettingsOverride key is being set to 3, not 0 as is required to enable it so I assume that you need the same mask for both but either a 0 (enable) or 3 (disable) for the FeatureSettingsOverride key.

Paul
  • 61
  • 2
  • Thanks. I did [ask](https://security.stackexchange.com/questions/176788/is-there-a-microcode-or-other-hardware-fix-for-meltdown?) and realise afterwards that a BIOS update would also be required. Regarding the AV/regkey question, yes my AV has been updated and has set the key in question (SEP). – Darren Jan 05 '18 at 13:35
  • However, I think I noticed my error. There was one update available this morning on this server and I didn't look too hard at what it was, I just installed it assuming it was the most recently released patch. However, it appears it wasn't what I thought it was, checked for updates again and the monthly cumulative update is still available. Installing it now...(embarrassed). – Darren Jan 05 '18 at 13:35
1

CVE-2017-5715 looks right to me in the absence of a firmware update however CVE-2017-5754 is now showing as installed but disabled. Have you checked what the enabler registry keys are set to?

I've also just noted that CVE-2017-5715 is also showing as disabled by system policy as well as by absence of hardware support which also suggests the registry settings are wrong.

Paul
  • 61
  • 2
1

There are 3 registry keys, not two. See here:

https://support.microsoft.com/en-gb/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

You're missing this one:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

  • There were only two the other day. That page was updated on the 10th so it could be they added the third key then. Will test the third key on Monday. – Darren Jan 12 '18 at 21:28
0

Just a note to enabling Hardware support of this.

Support must be enables via Bios update or.... ... A CPU Microcode update via the VMWare CPU Microcode update driver seems to work. Intel has released an archive with the microcode files on 8th of January. It updates the mc of the cpu, the change is shown in hwinfo or similar.

https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?product=873

https://labs.vmware.com/flings/vmware-cpu-microcode-update-driver

how-to: http://forum.notebookreview.com/threads/how-to-update-microcode-from-windows.787152/

But I also am not able to fully activate it, though now HW and OS Support is enabled.

S C:\Windows\system32> Get-SpeculationControlSettings Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is enabled: False

Windows OS support for branch target injection mitigation is disabled by system policy: False

Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True

Windows OS support for kernel VA shadow is present: True

Windows OS support for kernel VA shadow is enabled: True

Windows OS support for PCID performance optimization is enabled: True [not required for security]

Suggested actions

0

I have just a same problem like Marco Vernaglione. Thanks to VMware driver and downloaded microcode from Intel, I have now HW support, OS support, but mitigation is still disabled.

So definitely this is the way to enable hw support.

I tried reinstall kb4056892 windows update, but no change happened.

0

I tried the vmware driver as suggested by @marco-vernaglione without success.

I have the driver installed and the Get-SpeculationControlSettings Powershell module reports hardware support now. But I can't get windows to enable support, I've tried setting the registry keys in the referenced KB article https://support.microsoft.com/help/4073119

I suspect that the driver loads to late, that windows has already done it's check to enable support before the driver loads the microcode update and I can't find anything about re-running the check or anyway to load the driver before that check.

Output from Get-SpeculationControlSettings Powershell module

---

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: True [not required for security]

Suggested actions

* Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119

BTIHardwarePresent             : True
BTIWindowsSupportPresent       : True
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : False
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired              : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled           : True