Mitigating CVE-2017-5715, CVE 2017-5754 and CVE-2018-3620 using SanerNow

    Follow

    Overview:

    Microsoft has additional recommendations for effectively patching the following vulnerabilities,

    CVE-2017-5715

    CVE-2017-5754

    CVE-2018-3620 

    Mitigation of these vulnerabilities require creation of certain Windows Registry entries. This article describes the steps to create these registry settings. 

    Affected OS: All Microsoft Windows

    Solution : 

    1. Install the patches recommended in the Microsoft advisory, ADV180002

    2. Create the following registry entries,

     Registry Changes,

    a. To enable the fix for Windows processors other than AMD and ARM processors:

    * Fix for Windows Clients:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    OR:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    * Fix for Windows Server:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

    OR:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

     

    b. To enable the fix for Windows AMD processors:

    * Fix for Windows Clients:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    * Fix for Windows Server:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

     

    c. To enable the fix for Windows ARM processors:

    * Fix for Windows Clients:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    * Fix for Windows Server:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

    3. Reboot the system so that the changes take effect. 

     

    Automate Patching with SanerNow:

    1. Download the Processor_mitigation_fix-01.zip which is attached.

    2. Login to SanerNow

    3. Switch to the account/site specific view

    4. Use the EM tool to create an Action

    5. Select 'Software Deployment' feature

    6. Click on Upload, which is on the upper right corner.

    7. Click on the 'Open the file Browser', upload 'Processor_mitigation_fix-01.zip' file and Click on Close.

    8. Once uploaded package is visible after selecting 'User uploaded' checkbox, Click on 'exclamation mark' as shown in the below diagram.

    9. Click on edit in the newly opened window and set the silent option as /click on 'Update Details' as sown in the below diagram.

    10. Select uploaded package and click on install, which is in the upper right corner.

    11. Select 'Group' for which we need to apply the workaround and click 'next'

    12. Enter the required details and click on 'Create Installation task' as shown in the below diagram.

    On the next scheduled scan, vulnerabilities will not be reported.

    In case the above changes cause issues, deploy the Processor_mitigation_fix_revert.zip file in a manner similar to the one shown above.

     

     References:

    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180018

    https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot

    Was this article helpful?
    0 out of 0 found this helpful

    Comments