Details for Mitigating Speculative Store Bypass (SSB) - CVE-2018-3639

Document created by Robert Dell'Immagine Employee on Sep 18, 2018Last modified by Robert Dell'Immagine Employee on Sep 18, 2018
Version 4Show Document
  • View in full screen mode

The mitigation for Speculative Store Bypass (SSB) - CVE-2018-3639 is not enabled by default after installing the respective patches mentioned in ADV180012. The necessary keys required to enable mitigation on both Clients and Server are:

  • Reg Key - HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management, Value - FeatureSettingsOverride, REG DWORD - "8"
  • Reg Key - HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management, Value - FeatureSettingsOverrideMask, REG DWORD - "3"

 

QID 91462 primarily focuses to help customers identify if the mitigation for CVE-2018-3639 is not enabled by checking for the above registry key values. The above registry key settings will also have Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection") and Meltdown (CVE-2017-5754) mitigations enabled.

 

The registry key values can be set accordingly by customers to enable/disable patches for the Spectre and Meltdown mitigations. The flexibility was provided by Microsoft to help customers test the updates in their environment for any performance and other issues before they are deployed.

 

On Clients:

Unlike Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection") and Meltdown (CVE-2017-5754), for which the mitigations are enabled by default on Windows Clients, mitigation for Speculative Store Bypass (SSB) - CVE-2018-3639 mitigations needs to be enabled via registry key settings:

 

Reference Screenshot for enabling CVE-2018-3639 (along with CVE-2017-5715 CVE-2017-5754) on Clients:

 

Reference Screenshot mentioning mitgation for CVE-2017-5715 and CVE-2017-5754 enabled by default on Clients:

 

Adding the above registry key will enable mitigations for Speculative Store Bypass (SSB - CVE-2018-3639) along with Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection") and Meltdown (CVE-2017-5754).

 

Note: Selectively customers who do not want mitigations for Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection") and Meltdown (CVE-2017-5754) on Windows Client can do so by setting above registry values accordingly to disable protections.

 

On Servers:

The mitigation for Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection"), Meltdown (CVE-2017-5754) and Speculative Store Bypass (SSB - CVE-2018-3639) is disabled by default on Windows Server. Registry keys setting are required to enable the mitigations.

 

Reference Screenshot for enabling CVE-2018-3639 (along with CVE-2017-5715 CVE-2017-5754) on Servers:

 

Reference Screenshot mentioning mitgation for CVE-2017-5715 and CVE-2017-5754 must be enabled to receive full protection Servers:

 

Microsoft has disabled the protections by default on Windows Server to help customers first evaluate the updates in their environment to check for any performance issues based on which they can enable updates or keep them disabled.

 

Note: Customers can also enable protections for Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection") and Meltdown (CVE-2017-5754) only by setting the values for the above mentioned registry keys accordingly.

 

References:

[1] Windows client guidance for IT Pros to protect against speculative execution side-channel vulnerabilities - https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

[2] Windows Server guidance to protect against speculative execution side-channel vulnerabilities - https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

Attachments

    Outcomes