In the May edition of the Microsoft Patch Tuesday, Microsoft released several updates to mitigate what is known as Micro-architectural Data Sampling. These vulnerabilities are a subset of speculative execution side channel vulnerabilities and were brought to light by Intel. The vulnerabilities are assigned the following CVEs:
- CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS)
- CVE-2018-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
In addition to installing the respective updates, Microsoft recommends additional measures to enable protections from the above vulnerabilities. These measures require the creation of certain Windows Registry entries. In this article we describe the steps to fix and mitigate the above vulnerabilities using SanerNow.
Affected OS:
All supported Microsoft Windows operating systems
Solution :
SanerNow: Vulnerability detection and patching(installing updates and registry changes)of Microarchitectural Data Sampling vulnerabilities can be automated through SanerNow by following a few simple steps
1. Login to SanerNow platform
2. Switch to the account/site specific view and Go to 'VM tool'
3. CVE-2018-12126, CVE-2018-12130, CVE-2018-12127 and CVE-2018-11091 vulnerabilities will be listed in 'Top Vulnerabilities' or 'Recently Discovered Vulnerabilities' as shown in the below image
4. Search for these vulnerabilities in VM tool. If you are affected, apply the patch through PM -> Missing Patches
5. Select 'Groups/Devices' in the 'Asset Source' section and click 'Apply'.
6. Select the appropriate patches from the 'Asset' section as shown in the below image. Please refer this Microsoft advisory for more information (Need to select the KB applicable to your respective OS along with exe being displayed)
7. Select 'Apply Selected Patches' at the rightmost corner. This will prompt for 'Creating Patching Task'. Fill in 'Task Name' and 'Remediation Schedule' as per your preference and click on 'Apply Selected Patches' as shown below,
8. Remediation job will be created, which will fix the vulnerability by applying the patch.
9. Once remediation is done, the Saner agent automatically scans again and uploads the result.
The following registry changes will happen after applying the patch,
CASE 1: When Hyper-Threading is enabled,
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
If the Hyper-V feature is installed, add the following registry setting:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
CASE 2: When Hyper-Threading is disabled,
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
If the Hyper-V feature is installed, add the following registry setting:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
Note : The above CVEs are also applicable to systems using Apple Mac OS X and can be mitigated in a similar way as above using SanerNow.
References:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190013
Comments