Microsoft Information for VU#584653

CPU hardware vulnerable to side-channel attacks

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software
https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/
https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/
https://support.microsoft.com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices

Addendum

Note that Windows systems without antivirus do not appear to receive the ADV180002 update automatically. In order to receive the update through Windows Update, run the following command:


    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" /v cadca5fe-87d3-4b96-b7fb-a231484277cc /t REG_DWORD /d 0 /f

If a third-party antivirus product does not explicitly indicate compatibility with to the protections provided by ADV180002 using the above registry value, the system will not automatically receive the ADV180002 update or any other update from Microsoft via Windows Update as well.

Once a system has the ADV180002 update installed, it must be manually activated using the following commands to make the appropriate registry changes:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

Also note that in addition to the above changes, ADV180002 requires CPU microcode updates to achieve full protection. In some cases, Windows Update may not automatically install the ADV180002 update. An unofficial spreadsheet of antivirus vendor compatibility with this update is maintained here: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true

On systems that have not received the ADV180002 update automatically, you may have to install the update manually. Please see https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution for more details.

To verify that your Windows system has protections against Meltdown and Spectre variant 2, in a PowerShell session running with Administrator privileges, run:
    1. Install-Module SpeculationControl
      If this fails, you may need to install PackageManagement PowerShell Modules
    2. Get-SpeculationControlSettings
      If this fails, you may need to change your PowerShell ExecutionPolicy setting:
      Set-ExecutionPolicy RemoteSigned
      Once you are satisfied with the PowerShell output, you can revert the ExecutionPolicy setting back to the default Restricted setting by running:
      Set-ExecutionPolicy Restricted
 
The output of this PowerShell command will indicate the status of whether the CPU has the required microcode update, whether Windows has the required software update installed, and whether the mitigations are enabled. Any setting that indicates "False" is an indicator of incomplete protection from Meltdown and/or Spectre.

For example, a system that has the ADV180002 update properly installed and enabled, but is missing the CPU microcode update to fully enable the protections will show output like this:


Once the CPU microcode is updated on such a system (e.g. by way of a BIOS update) , the output will look like this, which indicates that the protections that Microsoft have released are fully enabled:


If the above PowerShell command indicates "Windows OS support for PCID optimization is enabled: False", this is a symptom of using a processor that doesn't support process context identifiers (PCID). Such processors cannot take advantage of the performance optimization that avoids a TLB flush.

If the above PowerShell command indicates "Hardware requires kernel VA shadowing: False", this is a symptom of using a processor that doesn't require mitigations for CVE-2017-5754 (Meltdown).

Also note that Microsoft has not yet provided protection for CVE-2017-5754 (Meltdown) on affected 32-bit platforms.

If you have feedback, comments, or additional information about this vulnerability, please send us email.