Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Mitigating CVE-2018-3639 using SanerNow

            Modified on Sun, 16 Mar at 8:03 PM

            Overview:


            Microsoft has recommended additional measures for effectively patching the following vulnerability:
            CVE-2018-3639
            Mitigation of this vulnerability requires the creation of certain Windows Registry entries. This article describes the steps to create these registry settings.

             

            Affected OS: 

            All supported Microsoft Windows clients and server

             

            Solution :

            1. Install the patches recommended in the Microsoft advisory, ADV1800012

            2. Create the following registry entries,
            Registry Changes:

            a. To enable the fix for Windows processors other than AMD and ARM processors:

            * Fix for Windows Clients:

            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f

            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

            * Fix for Windows Server:

            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f

            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

            reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

            b. To enable the fix for Windows AMD processors:

            * Fix for Windows Clients:

            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f


            * Fix for Windows Server:

            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

            reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

            c. To enable the fix for Windows ARM processors:

            * Fix for Windows Clients:

            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f

            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

             * Fix for Windows Server:

            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f

            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

            reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

             

            3. Reboot the system so that the changes take effect.

             

            Automate Patching with SanerNow:

            1. Download the Processor_mitigation_fix.zip which is attached.

            2. Login to SanerNow

            3. Switch to the account/site specific view

            4. Use the EM tool to create an Action

            5. Select 'Software Deployment' feature

            6. Click on Upload, which is on the upper right corner.

            7. Click on the 'Open the file Browser', upload 'Processor_mitigation_fix.zip' file and Click on Close.

            8. Once uploaded package is visible after selecting 'User uploaded' checkbox, Click on 'exclamation mark' as shown in the below diagram.

            9. Click on edit in the newly opened window and set the silent option as /click on 'Update Details' as sown in the below diagram.

            10. Select uploaded package and click on install, which is in the upper right corner.

            11. Select 'Group' for which we need to apply the workaround and click 'next'

            12. Enter the required details and click on 'Create Installation task' as shown in the below diagram.

            On the next scheduled scan, vulnerabilities will not be reported.

            In case the above changes cause issues, deploy the Processor_mitigation_fix_revert.zip file in a manner similar to the one shown above.

            References:

            https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012

            https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot

             

            Attachments (2)

            zip

            Processor_mi....zip
            22.1 KB
            zip

            Processor_mi....zip
            21.3 KB

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0