The ultimate guide to protecting against Meltdown (CVE-2017-5754) on Windows

Introduction

As most have heard by now, there is a critical vulnerability affecting most computers and servers worldwide.

Microsoft released an out-of-band patch for all compatible operating systems. Some systems may not have been applicable for the patch due to AV vendor not supporting the fix yet.. An unofficial list seen on Twitter yesterday (which I can’t seem to find right now..) shown only Microsoft, Kaskersky and ESET were prepared, with several vendors working on it and Sophos planning to have it ready by early next week. This is likely to change as I’m writing this, so please contact your AV vendor if your uncertain.

Getting started

To see if your system is affected, Microsoft Security Research Center (MSRC) has created and uploaded PowerShell module that can be used. Details can be found here. This module can be used to determine status for all systems by following the guidance, and should also be used to verify you successfully have remediated the issues.

To see if your system is applicable for the patch (this is determined by AV vendor), look for:

HKLM\Software\Microsoft\Windows\CurrentVersion\QualityCompat and a DWORD value with the name: cadca5fe-87d3-4b96-b7fb-a231484277cc and value data: 0. Most systems will also require a firmware update. For all Surface devices, a firmware update can be found here.

Patching systems

Prior to applying the patch, your system will likely generate this output when running “Get-SpeculationControlSettings”:

After verifying that your system is applicable for the patch, install the latest update. I included KB for the newest Windows versions:

KB4056890 – Server 2016
KB4056898 – Server 2012 R2 / 8.1
ADV180002 – Windows 10 (contains numerous patches).

This update might fail on the first try, try a reboot and give it a new shot.. been parsing through Windowsupdate.log without being able to pinpoint the exact issue yet. Please note, the update might take more than an hour to complete so be patient!

Protecting systems

After the patch is installed, you can see that the problem isn’t completely fixed by running “Get-SpeculationControlSettings”.

… the reason for this is because patching the vulnerability requires deployment of registry values in addition to the patch. 

Microsoft published “Windows Server guidance to protect against speculative execution side-channel vulnerabilities” where it clearly states that mitigations must be enabled for servers after deploying the patch.

We then proceed by adding the following registry keys:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f


And now running the command we can verify that the systems are protected against CVE-2017-5754:

Want to know more? https://meltdownattack.com/

Karim

Published by

Karim El-Melhaoui

Working as a Technical Architect in Advania Norway with focus on Microsoft Infrastructure, Cloud and security. My daily tasks are advisory, design and implementation of products and security measures for companies Continously focusing on developing my skillset and staying up to date within newest in Technology. Microsoft Certified Trainer, MCSE Cloud Platform & Infrastructure and Mobility, MCSA Windows Client, Server and Office 365

Leave a Reply

Your email address will not be published. Required fields are marked *