none
Mitigating Spectre and Meltdown on Hyper-V Hosts RRS feed

  • Question

  • Concerning CVE-2017-5753, CVE-2017-5715 (Specter), and CVE-2017-5754 (Meltdown), Microsoft have provided patches for Windows Server OS's as per the following link.

    https://support.microsoft.com/en-us/help/4072698

    Thanks Microsoft!

    Unforutnately, what is not clear is - does this have to be installed and activated on the Hyper-V host AND all guests, or just the Hyper-V host or just the Hyper-V guests?

    We are running 700+ VM's across approximately 30 Hyper-V 2012 R2 hosts.  If it's only necessary to update the hosts, that would be less work for us - and we can do it without downtime for the guests.


    • Edited by LesterClayton Thursday, January 4, 2018 9:51 AM Converted URL to hyperlink
    Thursday, January 4, 2018 9:50 AM

All replies

  • Hi Lester, 

    Unfortunately it looks like you will need to patch all of the VM's and the Hosts to begin with. A lot of sources are stating that Spectre and Meltdown undermine the whole concept of multi tenancy computing.  Processes, including virtual machines and containers, can't be trusted to stay in their boxes. The 'ring' model of security is undermined.

    Then for each physical machine there is likely to be a firmware update coming out in due course to mitigate. 

    In addition to the above there are likely to be web browser updates that should help protect against attacks too. 

    We are begging to patch our hosts and will then go and do the VM's - not a quick job. 

    Thank you. 


    Thursday, January 4, 2018 2:54 PM
  • askmematt, do you have any sources on that you can link to please? I'm also curious. If underlying VMs need patched this is potentially a much bigger issue.

    Thursday, January 4, 2018 3:58 PM
  • Perhaps it's all in the interpretation, but it reads very clearly to me that this applies to both Windows Server running the Hyper-V role and Windows Hyper-V Server. After all, they are all the same kernel for a given generation.

    They're not differentiating between editions anywhere else in the article, and that's all Hyper-V Server is: a different edition.

    Furthermore, the article goes out of its way to explain without the appropriate firmware - which is a clear albeit implicit reference to the hardware, the operating system update will achieve nothing on it's own.

    It's clear this is a very rare but all-emcompassing hardware-and-up strategy from the various vendors, meaning this will affect hardware (and not just traditional "servers" - wait for the storage and telephony vendors et al to jump on board with solutions for their "appliances"), virtualisation platforms and their guests.

    Cheers,
    Lain

    Friday, January 5, 2018 4:45 AM
  • https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

    https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/

    "This Azure infrastructure update addresses the disclosed vulnerability at the hypervisor level and does not require an update to your Windows or Linux VM images. However, as always, you should continue to apply security best practices for your VM images. "

    Security best practices = all patches installed

    Friday, January 5, 2018 6:07 PM
  • <g class="gr_ gr_15 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="15" id="15">Refer :</g>http://www.soundar.net/how-to-protect-your-devices-against-meltdown-and-spectre-attacks/

    Hope  given link will helpful


    Saturday, January 6, 2018 7:20 AM
  • SOLUTIONS TO FULLY GET RID OF CVE-2017-5715

    Option A: Replace the following CPU by a non vulnerable CPU

    Arm Cortex-A75, Intel Core Gen1/Gen2/Gen3/Gen4/Gen5/Gen6/Gen7/Gen8/i3/i5/i7/M/X-series X99 platforms/X-series X299 platforms, Intel Xeon serie 3400/3600/5500/5600/6500/7500, Intel Xeon family E3 v1/v2/v3/v4/v5/v6, Intel Xeon family E5 v1/v2/v3/v4, Intel Xeon family E7 v1/v2/v3/v4, Intel Xeon Scalable Family, Intel Xeon Phi series 3200/5200/7200, Intel Atom A/C/E/x3/Z, Intel Celeron J/N, Intel Pentium J/N     

    Option B: Update CPU microcode in BIOS (see hw vendor)

    Option C:
    Patch system’s operating systems (OS, bare-metal hypervisor, hosted hypervisors)


    NOTES:

    - In this context: processor's microcode = processor's firmware
    - Processor microcode is loaded in RAM
    - BIOS loads microcode in RAM
    - The kernel is able to update at everyboot the processor's firmware pushed in RAM by BIOS
    - -Some hw vendors have already announced they will not bother with BIOS updates to deliver the fixed CPU microcode for older generations (while Intel will provide it), the CPU microcode update via operating sustem seems to be a good and safe option.
    - A microcode update is kept in volatile memory, thus the BIOS/UEFI or kernel updates the microcode during every boot. ref: https://wiki.debian.org/Microcode)(https://labs.vmware.com/flings/vmware-cpu-microcode-update-driver)
    - https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/cve-2017-5715-and-hyper-v-vms

    - Option B & C require a reboot to successfully mitigate it
      - Install a kernel that is integrating the new IBRS and IBPB patches that are using the new CPUMSR, made available by the microcode update
      -
    boot the OS with the new microcodes to activate new flags in CPU (the SPEC_CTRL and PRED_CMD MSRs)



    • Edited by lcbuyg Thursday, January 11, 2018 4:25 PM
    Thursday, January 11, 2018 3:55 PM
  • Option "C" would be great if Microsoft's patch accomplished this, but unfortunately it does not. I have tried it on Hyper-V and the guests are still not compliant based on the speculation control validation provided by Microsoft: https://gallery.technet.microsoft.com/scriptcenter/Speculation-Control-e36f0050

    Dan Gleason

    Friday, January 19, 2018 2:47 PM
  • https://www.altaro.com/hyper-v/meltdown-spectre-hyperv-performance/

    Don't know if this helps to clarify but fyi

    Saturday, January 20, 2018 4:50 PM
  • The script is very exact and looking for patches and registry keys.  If you pivot from anything other than bios/OSpatch/registry keys the script won't confirm your protection.
    Saturday, January 20, 2018 4:51 PM
  • Do you have a List of non vulnerable CPUs?

    Can you give us a LINK to the original dissertation, that the above comes from?

    I have never heard of non Vulnerable CPUs except for the ATOM, prior to 2010 or 12??? (one of the two)

    Allot seems to have been happening around those 2 years in NDA land, thus the confusion....

    Best Regards,

    Crysta


    PhotM Phantom of the Mobile

    Saturday, January 20, 2018 7:31 PM
  • Try grc.com Steve Gibson's InSpectre written in assembly/machine language. He gets right down into weeds with it. On bare metal right into the Silicon, in a VM, I am not sure?

    InSpectre   https://www.grc.com/inspectre.htm

    Best Regards,

    Crysta


    PhotM Phantom of the Mobile

    Saturday, January 20, 2018 7:38 PM