By now, almost everyone knows about the Meltdown & Spectre Side-Channel Vulnerability. Again, there is no need to explain the issue in this article again, but if you still need information, you can read it here for Intel, AMD, and ARM. We will check Meltdown & Spectre Side-Channel Vulnerability in Virtual environments.
Meltdown
“Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.”
Spectre“Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.”
In this article, I will try to summarize most of the vendor’s information about Meltdown and Spectre Side-Channel Vulnerability in Virtual environments but will focus on my main area VMware/Hyper-V.
Hardware and Hypervisor vendors have launched many updates regarding this issue in the last two weeks. But the initial patches seemed to have some security and performance problems. Many vendors have removed those patches and are working with Intel to launch proper patches and firmware for their software or hardware.
Even some of the updates launched by Intel did cause many issues in servers (some with random reboots), and Intel engineering has all the pressure with Intel CEO need to have some public statements to calm down the market.
VMware
Companies like VMware did remove the patches from their repository, and we need to wait for new patches. You can read more about VMware statement about previous patches in their main article regarding the last patches and some workaround if you already add patch your systems with those faulty patches KB52345.
Regarding VMware, for now, the update is to hold all patches while VMware is working with Intel to fix all issues and provide a proper patch to fix the problems without any impact on the systems.
William Lam has some great posts regarding VMware patches and scripts to verify ESXi CPUs and VMs Guest OS. Check HERE the main article regarding how to run those scripts.
Hyper-V
Regarding Hyper-V and Microsoft, there is main guidance with all information HERE, but let’s go through some of the main tasks and changes you should do in your Hyper-V virtual environment.
Recommended actions
Customers should take the following measures to help protect against the vulnerabilities:
- Apply all available Windows operating system updates, including the January 2018 Windows security updates. For details about how to enable this update, see Microsoft Knowledge Base article 4072699.
- Make necessary configuration changes to enable protection.
- Apply an applicable firmware update from the OEM device manufacturer.
Important Customers who install only the Windows update will not benefit from all known protections.
First, Microsoft recommends that customers enable mitigation on their Hyper-V servers to help protect against speculative execution side-channel vulnerabilities. Today we already know that these changes have an impact on servers performance.
Note: Do not apply these changes in our Production environment. I recommend that you test these changes before in any PoC or R&D environment that you may have. Depending on the CPU or Chipset, these changes can impact your Hyper-V performance (and subsequently VMs).
Changes:
Use these registry keys to enable the mitigations on the server and make sure that the system is restarted for the changes to take effect:
Switch | Registry Settings
To enable the fix
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f
If this is a Hyper-V host and the firmware updates have been applied: fully shutdown all Virtual Machines (to enable the firmware related mitigation for VMs you have to have the firmware update applied on the host before the VM starts).
Restart the server for changes to take effect.
To disable this fix
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Restart the server for the changes to take effect.
(There is no need to change MinVmVersionForCpuBasedMitigations.)
Note: Setting FeatureSettingsOverrideMask to 3 is accurate for both enable/disable settings (see the FAQ for more details on registry keys
More information and details HERE and HERE.
Hyper-V – Protecting Guest VMs
Next, ensure that Hyper-V is configured to expose the new processor capabilities to guest virtual machines. This configuration is based on the VM version of the guest virtual machines.
If all of the virtual machines on the host are VM version 8.0 or higher, then no configuration is required. These virtual machines will see the new processor capabilities after a cold boot.
If there are any virtual machines with VM version below 8.0, you must set a specific registry value on the host operating system. This will configure Hyper-V to expose the new processor capabilities into guest virtual machines with lower VM versions.
That registry value is MinVmVersionForCpuBasedMitigations under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization. The value should be set to the minimum VM version that needs access to the updated firmware capabilities, in the format “Major.Minor”. To expose the firmware to all virtual machines on the host (i.e. version 1.0 and above), run the following command on the host:
1 2 3 |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f |
More information and details are HERE.
I will try to list most of the information and firmware or patches launched from the main vendors.
List of patches and information by vendor (Updated).
Hypervisor or Operation System.
Serves Hardware
Conclusion:
This Side-Channel Vulnerability significantly impacted all systems worldwide and in Virtual Environments. Particularly customers that use Intel, that is, most of the Virtual Environments.
The first steps made by Intel were not the best ones, and also other companies like AMD and ARM did not respond quickly to this problem and were supposed to be all patches and firmware launched by the 9th of January today, but most of the vendors have not launched their final updates to protect systems against this vulnerability fully.
We will need to wait for the final solution for the next few days (weeks?). Until then, apply the possible patches, update systems that can be updated, and wait for the final solution from all vendors for your Virtual Environment (mainly VMware and Microsoft).
I hope this article can help you have more information about this substantial Side-Channel Vulnerability.
Note: Share this article if you think it is worth sharing.
©2018 ProVirtualzone. All Rights Reserved
Leave A Comment
You must be logged in to post a comment.