“Side channel” vulnerabilities and Windows

Topic

New Reply

I’ve avoided talking much about Spectre, Meltdown and the like because there’s an endless succession of patches to Windows and the hardware – and regi
[See the full post at: “Side channel” vulnerabilities and Windows]

5 users thanked author for this post.

MyAussie, Elly, abbodi86, PhotM, Kirsty

Reply | Quote

Replies

Here’s the latest from @alqamar:

My motivation was to give you and myself an overview a ton of information spread over a forest of sites provided by Microsoft, many of them outdated due to the sheer complexity.

After all I hope it is helpful for you.

Tl;dr: install all patches on all OS as suitable + some extra patches that might not even be in WSUS by default and enable the registry values and in some cases apply BIOS updates. That easy.

Disclaimer: It took me several hours of constant work and concentration to put this together. If you find an error let me know. It don’t have Github. I thought about posting this on pastebin instead.

Susan, if there is no feedback about critical errors, you are welcomed to include this in a sub category of your patch master list.

Spectre 1, 2, 3, 3a, 4 (SSBD), L1TF, MDS, Retpoline

Spectre v1/2

Server 2008 SP2                              KB4090450[0] > KB4093478[1] + Registry AMD / Intel + BIOS

Server 2008 R2 SP1                       KB4056897[0] > KB4338821[1] + Registry AMD / Intel + BIOS

Server 2012                                     KB4088880[0] > KB4338816[1] + Registry AMD / Intel + BIOS

Server 2012 R2 U1                        KB4056898[0] > KB4338831[1] + Registry AMD / Intel + BIOS

Server 2016 1607/Core                KB4056890[0] > KB4132216 + KB4338822[1] + Registry AMD / Intel + BIOS or 2018-10 KB4091664-v6

Server 2016 1709 Core                KB4056892[0] > KB4131372 + KB4338817[1] + Registry AMD / Intel + BIOS or 2018-10 KB4091663-v6

Server 2016 1803 Core                KB4338853 + KB4340917[1] + Registry AMD / Intel + BIOS or 2018-10 KB4100347-v4

Server 2019 1809/Core                included in OS + Registry AMD / Intel

Server 2019 1903 Core                included in OS + Registry AMD / Intel

Windows Vista SP2                       KB4090450[0] > KB4093478[1] + Registry AMD / Intel + BIOS (out of support)

Windows 7 SP1                               KB4056897[0] > KB4338821[1] + Registry AMD / Intel + BIOS

Windows 8.0                                   KB4088880[0] > KB4338816[1] + Registry AMD / Intel + BIOS (out of support)

Windows 8.1 U1                             KB4056898[0] > KB4338831[1] + Registry AMD / Intel + BIOS

Windows 10 1507 LTSC               KB4345455[1] + Registry AMD / Intel + BIOS or 2018-05 KB4091666-v5 (Home / Pro / Ent / Edu out of support)

Windows 10 1511                         KB4035632 + KB4093109[1] + Registry AMD / Intel + BIOS (Home / Pro / Ent / Edu out of support)

Windows 10 1607 LTSC               KB4056890[0] > KB4132216 + KB4338822[1] + Registry AMD / Intel + BIOS or 2018-10 KB4091664-v6 (Home / Pro / Ent / Edu out of support)

Windows 10 1703                         KB4132649 + KB4338827[1] + Registry AMD / Intel + BIOS or 2018-10 KB4091663-v6 (Home / Pro / Ent / Edu out of support)

Windows 10 1709                         KB4056892[0] > KB4131372 + KB4338817[1] + Registry AMD / Intel + BIOS or 2018-10 KB4090007_v6 (Home / Pro out of support)

Windows 10 1803                         KB4338853 + KB4340917[1] + Registry AMD / Intel + BIOS or 2018-10 KB4100347-v4

Windows 10 1809                         included in OS

Windows 10 1903                         included in OS

Windows 10 20H1                         included in OS

Spectre NG v3, 3a, 4 (SSBD) [3], L1TF

Server 2008 SP2                             KB4480968[0] > KB4499180[1] + Registry AMD / Intel + BIOS

Server 2008 R2 SP1                       KB4480970[0] > KB4093478[1] + Registry AMD / Intel + BIOS

Server 2012                                     KB4480975[0] > KB4499158[1] + Registry AMD / Intel + BIOS

Server 2012 R2 U1                        KB4480963[0] > KB4499165[1] + Registry AMD / Intel + BIOS

Server 2016 1607/Core                KB4467691[0] > KB4494440[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346087-v3

Server 2016 1709 Core                KB4467686[0] > KB4499179[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346085-v3

Server 2016 1803 Core                KB4467702[0] > KB4499167[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346084-v3

Server 2019 1809/Core                BIOS or 2019-02 KB4465065-v3 + Registry AMD / Intel

Server 2019 1903 Core                included in OS + Registry AMD / Intel

Windows Vista SP2                       KB4480968[0] > KB4499180[1] + Registry AMD / Intel + BIOS (out of support)

Windows 7 SP1                              KB4480970[0] > KB4093478[1] + Registry AMD / Intel + BIOS

 Windows 8.0                                   KB4480975[0] > KB4499158[1] + Registry AMD / Intel + BIOS (out of support)

Windows 8.1 U1                            KB4480963[0] > KB4499165[1] + Registry AMD / Intel + BIOS

Windows 10 1507 LTSC               KB4467680[0] > KB4471323[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346088-v2 (Home / Pro / Ent / Edu out of support)

Windows 10 1511                         KB4035632 + KB4093109[1] + Registry AMD / Intel + BIOS (Home / Pro / Ent / Edu out of support)

Windows 10 1607 LTSC               KB4467691[0] > KB4494440[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346087-v3 (Home / Pro / Ent / Edu out of support)

Windows 10 1703                         KB4467696[0] > KB4499181[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346086-v3 (Home / Pro / Ent / Edu out of support)

Windows 10 1709                         KB4467686[0] > KB4499179[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346085-v3 (Home / Pro out of support)

Windows 10 1803                         KB4467702[0] > KB4499167[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346084-v3

Windows 10 1809                         KB4467708[0] > KB4471332[1] + Registry AMD / Intel + BIOS or 2019-02 KB4465065-v3

Windows 10 1903                         included in OS

Windows 10 20H1                         included in OS

MDS

Server 2008 SP2                             Registry AMD / Intel + BIOS

Server 2008 R2 SP1                       Registry AMD / Intel + BIOS

Server 2012                                     Registry AMD / Intel + BIOS

Server 2012 R2 U1                        Registry AMD / Intel + BIOS

Server 2016 1607/Core                Registry AMD / Intel + BIOS or 2019-05 KB4494175

Server 2016 1709 Core                Registry AMD / Intel + BIOS or 2019-05 KB4494452

Server 2016 1803 Core                Registry AMD / Intel + BIOS (KB Microcode not yet available)

Server 2019 1809/Core                Registry AMD / Intel + BIOS (KB Microcode not yet available)

Server 2019 1903 Core                included in OS

Windows Vista SP2                       Registry AMD / Intel + BIOS

Windows 7 SP1                              Registry AMD / Intel + BIOS

Windows 8.0                                   Registry AMD / Intel + BIOS

Windows 8.1 U1                            Registry AMD / Intel + BIOS

Windows 10 1507 LTSC               Registry AMD / Intel + BIOS or 2019-05 KB4494454 (Home / Pro / Ent / Edu out of support)

Windows 10 1511                         (out of support)

Windows 10 1607 LTSC               Registry AMD / Intel + BIOS or 2019-05 KB4494175 (Home / Pro / Ent / Edu out of support)

Windows 10 1703                         Registry AMD / Intel + BIOS or 2019-02 KB4494453 (Home / Pro / Ent / Edu out of support)

Windows 10 1709                         Registry AMD / Intel + BIOS or 2019-05 KB4494452 (Home / Pro out of support)

Windows 10 1803                         Registry AMD / Intel + BIOS (KB Microcode not yet available)

Windows 10 1809                         Registry AMD / Intel + BIOS (KB Microcode not yet available)

Windows 10 1903                          included in OS

Windows 10 20H1                          included in OS

Retpoline (<=Skylake)/ ImportOptimization (>Skylake)

Server 2019 1809/Core  2019-05 KB4494441 + Registry AMD / Intel

Server 2019 1903 Core  included in OS + Registry AMD / Intel

Windows 10 1809                         2019-05 KB4494441

Windows 10 1903                          included in OS

[0] superseded, bugged should be declined

[1] or later cumulative security quality update. READ RESPECTIVE UPDATE HISTORY KNOWN ISSUES BEFORE APPLYING

[2] Exceptions apply to clients with AMD CPUs that need Registry AMD, refer MS advisories

[3] SSBD is never enable by default without Registry Intel, refer MS advisories

Registry values:

Server:  https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

Clients: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

9 users thanked author for this post.

Elly, johnf, Pim, CADesertRat, dlsdjh, NetDef, abbodi86, Carl0s_H, PhotM

Reply | Quote

I’m glad that FeatureSettings 3 is still valid to disable all these mitigations mess

1 user thanked author for this post.

woody

Reply | Quote

I’m getting a headache reading this.  Thank you so much for this.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Thanks for this list. Like Susan I get a headache reading it

But I did see two small errors: Retpoline is mitigated on systems older than Skylake. Systems with Skylake or newer do not get this patch, because it is technically impossible. Also, Import optimization is not restricted to systems higher than Skylake, but, from what I have read, is available on all systems. What may have caused the confusion is that on Skylake and newer only Import optimization is available, but nowhere was mentioned that it was only available on those systems and not on older systems (link).

Reply | Quote

Ahem. This is not actually what happens.

Retpoline is an alternate mitigation method for some of these vulnerabilities. It needs to be turned on at compile time, which means you need compiler support for it. Now, since we aren’t getting application packages both with and without it, it cannot as such be fundamentally incompatible with any hardware version that those run on…

What it is, is that it’s only useful on certain kinds of hardware. Base-type retpoline is not very useful on Skylake. However, with additional underflow protection, it can be at least useful (as in good enough to be used), if not quite the very best possible, strategy on at least some variants of Skylake too. Hence, on Linux, some of Andi Kleen’s patches did indeed enable retpoline on some Skylake variants.

Where this all becomes relevant is virtualization, particularly high availability or load-balanced setups with VM migration between physical nodes – meaning, at startup time you don’t actually know what kind of a processor your process, or the entire VM guest system install, will be running on an hour from now… much less during weekly/monthly build times at the application vendor. You’ll want to include mitigation strategies that apply to as many processor models as possible.

So. Which versions of Visual Studio come with a retpoline-enabled compiler again? And how do we determine whether it’s on or not in application binaries?

Reply | Quote

Woody, thanks for the work and info.

I see Susan has added this to the Master Patch List.

Can you please explain how to understand the information, by interpreting one or two of the lines? What is the (0) etc after the KB number?

Thanks

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Footnotes:

[0] superseded, bugged should be declined

Reply | Quote

Could someone help decipher (item by item) what this listing for ver 1803 from the current Master Patch list is advising me I need to do?
Thx

Windows 10 1803 KB4338853 + KB4340917[1] + Registry AMD / Intel + BIOS or 2018-10 KB4100347-v4

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

If you apply cumulative patches you don’t need to do anything.
Otherwise:
Install KB4338853
Check for the latest version of KB4340917. There are known issues with this patch so check before installing.
Apply the registry patches shown here.
Patch your BIOS/firmware, if possible / apply KB4100347.

Or you could choose the “do nothing” option as there seem to be no attacks – probably because it’s much easier to go phishing.

cheers, Paul

1 user thanked author for this post.

Tex265

Reply | Quote

I am confused about the registry key FeatureSettingsOverride to enable all mitigations in KB4072698 for servers.  If a processor does not support hyper-threading, should I treat it the same as hyper-threading disabled?  I would assume yes, but technically it is not disabled.

So I have to figure out which servers currently use hyper-threading to assign either 72 or 8264 to that registry key.

I have been running remotely:

wmic cpu get numberofcores, numberoflogicalprocessors

Some of them are obvious, the number of logical processors are greater than the number of cores with just a one line response.  But what about the ones that come back with the numbers the same twice, a 2 line response.  I would assume those are also not using hyper-threading.  When I look up the processor on intel’s site, hyper-threading is not listed as a feature.

I already have the servers set with 8 for that registry key from the last time.  I guess we are going to be changing it often and have to seperate out the servers in GP that have hyper-threading.  Yes, I have some very old servers that need replaced. If MS would give me a break, I could get something done.

Any insight would be appreciated.

Reply | Quote

Do I understand that any of those numerous “side panel” patches mentioned above, that should they apply, need be installed or not ??

Thanks
Win 7 64 Group “B”

Reply | Quote

There do not seem to be any exploits for the side channel vulnerabilities, so you can leave the patches out.

cheers, Paul

1 user thanked author for this post.

MyAussie

Reply | Quote