Red Hat provides updated microcode, developed by our microprocessor partners, as a customer convenience. Please contact your hardware vendor to determine whether more recent BIOS/firmware updates are recommended, as additional improvements may be available.
Q: What if my CPU is not listed in the table?A: Red Hat will continue to update these microcode packages as necessary. Please contact your hardware vendor to determine whether more recent BIOS/firmware updates are recommended because additional improvements may be available.
Windows 10: Intel Microcode Updates (Juni 2019)
Speculation techniques that rely on one security domain (user, kernel, hypervisor) being able to influence indirect branch predictions (e.g. CVE-2017-5715) in another security domain can be mitigated through the use of additional hardware interfaces provided by Intel, AMD, and ARM. In the case of Intel and AMD, these hardware interfaces require microcode updates to expose the features of which operating systems can take advantage. These features provide software with the ability to flush indirect branch prediction state, inhibit the use of branch predictions from less-privileged security domains, and protect against sibling hardware thread prediction interference. The microcode updates from Intel and AMD are currently at varying levels of readiness and availability, but they are generally expected to enable strong mitigations for speculation techniques that use indirect branch mispredictions across security domains. On March 1st, 2018, Microsoft announced the availability Intel microcode updates through the Microsoft Update Catalog (KB4090007).
We have servers running MS Windows Server 2012 / 2012 R2. The servers haveIntel Xeon E5-2450 v2 and Xeon E5-2420 CPUs. The servers haveHyper-V feature enabled.According to -center/advisory/intel-sa-00233.html these CPUs haveMicroarchitectural Data Sampling vulnerabilities.According to -us/security-guidance/advisory/adv190013 we should install2019-05 Monthly Rollup which provides protections against these new Intel CPU vulnerabilities.To enable the protection in Windows Server we should also set some registry settings as specified on -us/help/4072698/So, I installed the 2019-05 Monthly Rollup (KB4499151) on MS Windows Server 2012 R2 and2019-05 Monthly Rollup (KB4499171) on MS Windows Server 2012.Also, I run the following commands on the servers to set values in the Registry which should enable the MDS mitigation:reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /freg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /freg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /fThe installation finished successfully and the servers started fine after reboot.I used Get-SpeculationControlSettings script v. 1.0.14 to query the speculation control settings on the systems. The script is available on and the script output is explained on -us/help/4074629/In PowerShell 5.1 I first installed the module with:
I get the following script output:...Speculation control settings for MDS [microarchitectural data sampling]Windows OS support for MDS mitigation is present: TrueHardware is vulnerable to MDS: TrueWindows OS support for MDS mitigation is enabled: False... MDSWindowsSupportPresent : TrueMDSHardwareVulnerable : TrueMDSWindowsSupportEnabled : FalseHere I do not understand why the script reports "Windows OS support for MDS mitigation is enabled: False" (and "MDSWindowsSupportEnabled : False").Regarding MDSWindowsSupportEnabled -us/help/4074629/ explains:This line tells you if the Windows operating system mitigation for Microarchitectural Data Sampling (MDS) is enabled. If it is True, the hardware is believed to be affected by the MDS vulnerabilities, the windows operating support for the mitigation is present, and the mitigation has been enabled. If it is False, either the hardware is not vulnerable, Windows operating system support is not present, or the mitigation has not been enabled.On the servers:- hardware is vulnerable (Intel Xeon CPUs)- Windows operating system support is present: 2019-05 Monthly Rollup (KB4499151) installed- the mitigation has been enabled (Registry settings exist)So, the script should report "MDSWindowsSupportEnabled : True".Is anybody able to test this in similar hardware and OS environments?
But on some PCs with Windows 10 and 2019-05 updates installed I'm getting "MDSWindowsSupportEnabled : True" while on another ones I'm getting "MDSWindowsSupportEnabled : False".
I have the same issue where the SpeculationControlSettings Output shows as Windows OS support for MDS mitigation is enabled: False1. I have installed all outstanding Windows updates on the server as of 2019-07-242. I can't do a BIOS update as the server is a virtual server on AWS3. I can't disable Hyper-thread in BIOS as the server is a virtual server on AWSThe AWS Server I am running is Windows 2012 R2 with Powershell 5.1 and the latest SpeculationControl Module v1.0.14 installed.It shows CPU Model as Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHzI read this link as per SpeculationControl output which states "To enable mitigations for Microarchitectural Data Sampling" "without disabling Hyper-Threading:"As I wanted to protect against these vulnerabilities I set registry settings as follows and then rebooted the server.HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettingsOverride is set to value 72HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettingsOverrideMask is set to value 3MDS Output is as follows when I re-run SpeculationControlSettings after restarting the computer for the registry changes to take effect.Speculation control settings for MDS [microarchitectural data sampling]Windows OS support for MDS mitigation is present: TrueHardware is vulnerable to MDS: TrueWindows OS support for MDS mitigation is enabled: FalsePlease can you explain why it shows as False and not True. Is it a bug with SpeculationControlSettings script?
Intel has provided CPU microcode updates, and recommendations for mitigation strategies for operating system (and hypervisor) software. See Intel's Security Advisory for more details. We recommend you install the software updates provided by your operating system and/or hypervisor vendor.
In particular, at the request of Intel, we withheld the following details on the original RIDL/MDS disclosure date: TSX Asynchronous Abort (TAA). Intel's TSX hardware feature can be used to efficiently mount a RIDL attack even on allegedly non-vulnerable CPUs (with hardware mitigations). Alignment faults. These can be used to trigger an exception, giving an attacker yet another way of leaking data. This attack vector seems to be fixed in the latest generation of Intel CPUs. Flawed MDS mitigation. The initial mitigations against MDS clear the buffers by writing stale, potentially sensitive, data into these buffers, allowing an attacker to leak information despite mitigations being enabled. The RIDL test suite. We can now release the RIDL test suite at Impact TL;DR: an attacker can mount a RIDL attack despite the in-silicon mitigations/microcode patches published in May 2019 being in place.
In fact, due to a lack of transparency on Intel's part, we only got a complete picture on Intel's MDS disclosure plan on May 10, 2019, just 4 days before public disclosure. We were able to find the microcode updates published by Intel online and tested them on the same day. We quickly found that Intel's fixes did not fully mitigate the vulnerabilities we had reported in Sep 2018 and immediately informed Intel.
On Oct 25, 2019, we tested Intel's latest microcode update, and still saw leaks with the VERW mitigation enabled, using the RIDL PoCs we shared with Intel in May 2019. We notified Intel and shared a polished PoC to make the issue clear. Intel requested a new embargo and yet suggested adding the following to our first RIDL addendum: "A new microcode update release by Intel in November is required to adequately address the issue".
Today, AMD is providing updates regarding our recommended mitigations for Google Project Zero (GPZ) Variant 2 (Spectre) for Microsoft Windows users. These mitigations require a combination of processor microcode updates from our OEM and motherboard partners, as well as running the current and fully up-to-date version of Windows. For Linux users, AMD recommended mitigations for GPZ Variant 2 were made available to our Linux partners and have been released to distribution earlier this year.
While we believe it is difficult to exploit Variant 2 on AMD processors, we actively worked with our customers and partners to deploy the above described combination of operating system patches and microcode updates for AMD processors to further mitigate the risk. A white paper detailing the AMD recommended mitigation for Windows is available, as well as links to ecosystem resources for the latest updates.
AMD customers will be able to install the microcode by downloading BIOS updates provided by PC and server manufacturers and motherboard providers. Please check with your provider for the latest updates. 2ff7e9595c
Comentarios