Tit Bits (2) on recent speculative execution side-channel vulnerabilities


Microsoft is constantly working to address the new publicly disclosed class of vulnerabilities referred to as “speculative execution side-channel attacks” that affect many modern OS and processors.

Microsoft has developed the required patches both at the OS level and the SQL server level to help address this vulnerability which can be obtained in my previous blog : https://blogs.msdn.microsoft.com/shreyasgowda/2018/01/12/tit-bits-on-the-recent-speculative-execution-side-channel-vulnerabilities/

Enabling the protections at the OS level :

Enabling these mitigations may affect performance. The actual performance impact will depend on multiple factors, such as the specific chipset in your physical host and the workloads that are running. Microsoft recommends that customers assess the performance impact for their environment and make necessary adjustments.

Your server is at increased risk if it is in one of the following categories:

Hyper-V hosts – Requires protection for VM to VM and VM to host attacks.

Remote Desktop Services Hosts (RDSH) – Requires protection from one session to another session or from session to host attacks.

For physical hosts or virtual machines that are running untrusted code such as containers or untrusted extensions for database, untrusted web content or workloads that run code that is provided from external sources – Requires protection from untrusted process to another process or from untrusted process to kernel attacks.

Use these registry keys to enable the mitigations on the server and make sure that the system is restarted for the changes to take effect:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: fully shutdown all Virtual Machines (to enable the firmware related mitigation for VMs you have to have the firmware update applied on the host before the VM starts).

Restart the server for changes to take effect.

Verifying if the protectors are applied :

The following powershell script can be used to verify if the protections are successfully applied.

Install the PowerShell Module

PS> Install-Module SpeculationControl

Run the PowerShell module to validate the protections are enabled

PS> # Save the current execution policy so it can be reset

PS> $SaveExecutionPolicy = Get-ExecutionPolicy

PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser

PS> Import-Module SpeculationControl

PS> Get-SpeculationControlSettings

PS> # Reset the execution policy to the original state

PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser

The output of this PowerShell script will resemble the following. Enabled protections appear in the output as “True.”

PS C:\> Get-SpeculationControlSettings

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is enabled: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True

Windows OS support for kernel VA shadow is present: True

Windows OS support for kernel VA shadow is enabled: True

Windows OS support for PCID optimization is enabled: True

Recommendations for complete protection at the SQL server level :

Description

Recommendation

SQL Server is run as a dedicated application on a physical server with no untrusted SQL Server extensibility interfaces.

 

Apply all OS and SQL Server updates.

 

SQL Server is run in a virtual machine in a public hosting environment (cloud).

 

For Azure: Microsoft has posted details about mitigation efforts for Azure (KB 4073235) and for other cloud providers: refer to their guidance.

 

SQL Server is run on a virtual machine in a private hosting environment.

 

Refer to the hypervisor security documentation for security best practices (KB 4072698) for Windows Server and Hyper-V.

 

SQL Server is run on a physical or VM and is not a dedicated application or is using extensibility interfaces in SQL Server with untrusted code.

 

Apply all OS and SQL Server updates. Enable KVAS or Restrict use of extensibility interfaces to block untrusted code from executing on the machine.

 

SQL Server 2017 runs on a Linux operating system (independent of whether extensibility interfaces are being used). Updates to the Linux kernel are required and should be obtained from your distribution provider when available. Apply Linux SQL Server patches. Consult with your Linux OS distributer about whether and how to enable KPTI.

Enabling Kernel Virtual Address Shadowing (KVAS) :

If all code within the boundary has access to all data within that boundary, no action is necessary. If this is not the case, the boundary is said to be multi-tenant. The vulnerabilities that have been found make it possible for any code that is running in any process within that boundary, even under reduced permissions, to read any other data within that boundary. If there is any process in the boundary that is running untrusted code, that process could use these vulnerabilities to read data from other processes. This untrusted code could be untrusted code that uses SQL Server extensibility mechanisms or other processes within the boundary that run untrusted code.

To protect against untrusted code within a multi-tenant boundary, do either of the following:

  • Remove the untrusted code.
  • Turn on KVAS/KPTI to protect against process-to-process reads. This will have a performance impact.

Recommendations for the Anti-Virus Softwares :

For Windows 10, Windows 8.1, Windows Server 2012 R2 and Windows Server 2016 

Microsoft recommends all customers protect their devices by running a compatible and supported antivirus program. Customers can take advantage of built-in antivirus protection, Windows Defender Antivirus, for Windows 8.1 and Windows 10 devices or a compatible third-party antivirus application. The antivirus software must set a registry key as described below in order to receive the January 2018 security updates.

For Windows 7 SP1 and Windows Server 2008 R2 SP1 Customers

In a default installation of Windows 7 SP1 or Windows Server 2008 R2 SP1, customers will not have an antivirus application installed by default. In these situations, Microsoft recommends installing a compatible and supported antivirus application such as Microsoft Security Essentials or a third-party anti-virus application. The anti-virus software must set a registry key as described below in order to receive the January 2018 security updates.

For Customers without Antivirus

In cases where customers can’t install or run antivirus software, Microsoft recommends manually setting the registry key as described below in order to receive the January 2018 security updates.

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
Data="0x00000000”

Thus by following all the recommendations we can completely secure our environments all through right from the OS , SQL application and the antivirus level.

Hope this helps.. Happy battling vulnerabilities!!


Comments (0)

Skip to main content