Meltdown & Spectre Side-Channel Vulnerability in Virtual environments

/, Olher, Virtualization/Meltdown & Spectre Side-Channel Vulnerability in Virtual environments

Meltdown & Spectre Side-Channel Vulnerability in Virtual environments

By now almost everyone knows about the Meltdown & Spectre Side-Channel Vulnerability.  No need to explain here in this article again about the issue, but if you still need information you can read here for Intel, AMD and also ARM.  We will check Meltdown & Spectre Side-Channel Vulnerability in Virtual environments.

Meltdown

“Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.”


Spectre

“Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.”

 

In this article, I will try to summarize most of the vendor’s information about Meltdown and Spectre Side-Channel Vulnerability in Virtual environments but will focus on my main area VMware/Hyper-V.

Hardware vendors and Hypervisor vendors have launched many updates in the last two weeks regarding this issues. But it seems that the initial patches had some problems regarding security and performance. Many vendors have removed those patches and are working with Intel to launch proper patches and firmware for their software or hardware.

Even some of the updates launched by Intel did cause many issues in servers (some with random reboots), and Intel is engineering have all the pressure with Intel CEO need to have some public statements to calm down the market.

VMware

Companies like VMware did remove the patches from their repository, and we need to wait for new patches. You can read more about VMware statement about previous patches in their main article regarding not only the last patches but also some workaround if you already add patch your systems with those faulty patches KB52345.

Regarding VMware, for now, the update is to hold all patches while VMware is working with Intel to fix all issues and provide a proper patch to fix the problems without any impact on the systems.

William Lam as some great posts regarding VMware patches and scripts to verify ESXi CPUs and VMs Guest OS. Check HERE the main article regarding how to run those scripts.

Hyper-V

Regarding Hyper-V and Microsoft, there is main guidance with all information HERE, but let’s go through some of the main tasks and changes that you should do in your Hyper-V virtual environment.

Recommended actions

Customers should take the following measures to help protect against the vulnerabilities:

  1. Apply all available Windows operating system updates, including the January 2018 Windows security updates. For details about how to enable this update, see Microsoft Knowledge Base article 4072699.
  2. Make necessary configuration changes to enable protection.
  3. Apply an applicable firmware update from the OEM device manufacturer.

Important Customers who install only the Windows update will not receive the benefit of all known protections.

First Microsoft recommends that customers have to enable mitigation on their Hyper-V servers to help protect against speculative execution side-channel vulnerabilities. Today we already know that these changes have an impact on servers performance.

Note: Do not apply these changes in our Production environment. I recommend that you test this changes before in any PoC or R&D environment that you may have. Depending on the CPU or Chipset, these changes can have an impact on your Hyper-V performance (and subsequent your VMs).

Changes:

Use these registry keys to enable the mitigations on the server and make sure that the system is restarted for the changes to take effect:

Switch | Registry Settings

To enable the fix

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f

If this is a Hyper-V host and the firmware updates have been applied: fully shutdown all Virtual Machines (to enable the firmware related mitigation for VMs you have to have the firmware update applied on the host before the VM starts).

Restart the server for changes to take effect.

To disable this fix

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the server for the changes to take effect.

(There is no need to change MinVmVersionForCpuBasedMitigations.)

Note: Setting FeatureSettingsOverrideMask to 3 is accurate for both enable/disable settings (see the FAQ for more details on registry keys

More information and details HERE and HERE.

Hyper-V – Protecting Guest VMs

Next, ensure that Hyper-V is configured to expose the new processor capabilities into guest virtual machines. This configuration is based on the VM version of the guest virtual machines.

If all of the virtual machines on the host are VM version 8.0 or higher, then no configuration is required. These virtual machines will see the new processor capabilities after a cold boot.

If there are any virtual machines with VM version below 8.0, you must set a specific registry value on the host operating system. This will configure Hyper-V to expose the new processor capabilities into guest virtual machines with lower VM versions.

That registry value is MinVmVersionForCpuBasedMitigations under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization. The value should be set to the minimum VM version that needs access to the updated firmware capabilities, in the format “Major.Minor”. To expose the firmware to all virtual machines on the host (i.e. version 1.0 and above), run the following command on the host:

More information and details HERE.

Will try to list most of the information and firmware or patches launched from the main vendors.

List of patches and information by vendor (Updated).

Hypervisor or Operation System.

Serves Hardware

Conclusion: This Side-Channel Vulnerability had a significant impact on all system around the world and in Virtual Environments. Particularly customers that use Intel that is most of the Virtual Environments.
First steps made by Intel were not the best ones, and also other companies like AMD and ARM did not respond quickly to this problem and was suppose to be all patches and firmware launched until 9th of January and today most of the vendors have not launched their final updates to protect systems against this vulnerability fully.

We will need to wait for the next days (weeks?) for the final solution. Until then, apply the patches that are possible to use, update systems that can be updated and wait for the final solution from all vendors for your Virtual Environment (mainly VMware and Microsoft).

Hope this article can help you have more information about this substantial Side-Channel Vulnerability.

Note: Share this article, if you think it is worth sharing.

©2018 ProVirtualzone. All Rights Reserved

 

By | 2018-01-20T01:04:52+00:00 January 19th, 2018|Hyper-V, Olher, Virtualization|0 Comments

About the Author:

I am the owner of ProVirtualzone blog. I have been working in the technology domina for over 20 years! Currently as a Senior ICT Infrastructure Engineer Lead in a Swedish consulting company call Elits. I am responsible for Virtual Infrastructures, Tech Lead and Virtual Team management based out of Germany.

Leave a Reply

%d bloggers like this: