2

I do see that I can't enable the Meltdown/Spectre mitigations in Windows Server 2008 R2 is a similar question, but I suppose that the environment differences may justify different remedies.

After installing the Meltdown/Spectre related Windows updates and registry keys, and verifying that the relevant Vmware patch is installed (more precisely, ESXi550-201709101-SG is listed as "considered obsolete by the host", as is ESXi550-201709102-SG, but ESXi550-201709103-SG is installed).

The Microsoft testing tool gives me only 

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: False [not required for security]

Suggested actions

 * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.


BTIHardwarePresent             : False
BTIWindowsSupportPresent       : True
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired              : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled           : False

I dare to interprete these (in particular regarding CVE-2017-5715) as

  • CPU is vulnerable
  • Windows updates have been installed
  • Registry settings are missing
  • GPO is not a problem
  • Appropriate Microcode/Firmware is missing

This confuses me. For one, the registry settings should be ok according to the following export excerpt:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"FeatureSettingsOverride"=dword:00000000
"FeatureSettingsOverrideMask"=dword:00000003
"FeatureSettings"=dword:00000003

Additionally, I don't understand why the required microcode is missing (and hence BIOS/firmware update is suggested) given that the underlying VmWare host has ESXi550-201709103-SG installed (note though that ESXi550-201709101-SG comes with a footnote that it mitigates against CVE-2017-5715 but not against CVE-2017-5753)

What should I do?

Update

Meanwhile, I did also install BIOS/firmware (specifically, for the underlying ProLiant BL460c Gen 9 blade, I installed BIOS version 2.54 12-07-2017 (Fixes: "Updated the Intel processor microcode to the latest version."). The blade/host as well as the guest have been rebooted afterwards, but I still get the same test results (FTFFTTTTF and I am still suggested to "Install BIOS/firmware update provided by your device OEM ..."). I even had the guest boot into its BIOS and flipped through the settings to see if something needed to be enabled (apparently this is not the case).

Update 2

Out of curiosity, I tried the Linux testing tool as well. That tells me "Hardware (CPU microcode) support for mitigation: YES" even on a blade that had only ESXi550-201709103-SG installed, but not yet ProLiant BIOS 2.54.

Hagen von Eitzen
  • 816
  • 3
  • 15
  • 41
  • Does VMWare maybe need the machine type definition to be changed. Can’t imagine it enables a feature automatically, that would break VMotion. The ‚install BIOS update‘ suggestion is misleading. It means ‚make sure your BIOS or Hypervisor updates your Microcode and enable the Hypervisor to expose the capabilities‘ – eckes Jan 12 '18 at 11:22
  • This doesn't answer your question but might be an important information for you: The microcode in BIOS version 2.54 for ProLiant BL460c Gen 9 [seems to be buggy](https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039784en_us) – Mario Lenz Jan 13 '18 at 19:18
  • @MarioLenz WAAAAH! Thanks for the hint. This is beginning to really ... bug me. With fixes coming out only weeks after public disclosure and fixes being incomplete and withdrawn like this, I wonder why we still do not hear of exploits active in the wild ... – Hagen von Eitzen Jan 13 '18 at 23:08

1 Answers1

3

As far as I know, VMware patches don't contain new microcode- you will need to get and install a firmware / BIOS update from your hardware vendor for this. ESXi550-201709101-SG should contain (some) mitigations against CVE-2017-5715, but on a hypervisor level and not on a hardware / CPU / microcode level.

There are already updates from HPE for ProLiant Gen9 and 10 and Dell for PowerEdge R630/R730/R730XD. I should think from other vendors and for other models, too, but these are the ones I'm interested in and therefore had an eye on.

Can't help you with your registry settings, though.

edit: I have to apologize, it looks like ESXi650-201801402-BG updates cpu-microcode. That's new to me...

edit 2: Installing all Updates (BIOS / Microcode, ESXi, OS) might not be enough, it looks like you need to ensure that virtual hardware 9 (better is 11 or later) is used and again power off and power on your VM. And power off and power on your VM means just that, rebooting the guest OS seems to be not enough.

Mario Lenz
  • 1,612
  • 9
  • 13
  • 1
    Quoting a VMware security alert e-mail I received today: "**Update the CPU microcode. Additional microcode is needed for your CPU to be able to expose the new MSRs that are used by the patched Guest OS. This microcode should be available from your hardware platform vendor. VMware is providing several versions of the required microcode from INTEL and AMD through ESXi patches listed in the table. See VMware Knowledge Base 52085 for more details**" Seems like some systems may be able to use VMware microcode, others have to go to the system OEM for updates. – Todd Wilcox Jan 09 '18 at 18:47
  • 1
    @ToddWilcox Yes, I've just seen that ESXi650-201801402-BG includes a microcode update. That's new to me and I will update my answer. – Mario Lenz Jan 09 '18 at 19:58