Log in to create and rate content, and to follow, bookmark, and share content with other members. Not a member? Join Now!

AnsweredAssumed Answered

Microsoft Windows Spectre Variant 2 Patch is Enabled (KB4078130)

Question asked by adamc on Feb 5, 2018
Latest reply on Jun 7, 2018 by Dan Leate

Like • Show 1 Like1
Comment • 23

Is anyone seeing this new QID pop up on fully patched systems? QID 91429

I don't quite understand why it exists. I have a fully patched Windows 10 client with no issues, yet this QID is being detected. Am I misreading something? Or is there still some other patch out there that is required?

https://support.microsoft.com/en-us/help/4078130/update-to-disable-mitigation-against-spectre-variant-2

Vulnerability Note VU#584653 - CPU hardware vulnerable to side-channel attacks

Variant 1 (CVE-2017-5753, Spectre): Bounds check bypass

Variant 2 (CVE-2017-5715, also Spectre): Branch target injection

Variant 3 (CVE-2017-5754, Meltdown): Rogue data cache load, memory access permission check performed after kernel memory read

Joe Gregory

Jun 4, 2018 12:45 PM

Correct Answer

Hi Albert,

QID 91429 is being deprecated after reviewing customer feedback. Ultimately, this will be tracked via an 'Information Gathering' QID 91451 going forward. QID 91451 is already in circulation and should be showing on your recent scan reports.

Please see below the current message shown in the KB for QID 91429.

See the reply in context

No one else had this question

Outcomes

23 Replies

DMFezzaReed Feb 5, 2018 5:00 PM
Mark Correct
Correct Answer
Based on the vendor documentation, MS is informing its customers the previous patch can lead to more frequent reboots, data loss or corruption, therefore they are recommending Variant 2 be disabled. Meaning, if you choose not to disable Variant 2, then you basically do so at your own risk.

Threat
Microsoft released this update out-of-band from their normal update process. This update has mitigation to disable the Spectre variant 2 (CVE 2017-5715 Branch Target Injection) patch.
The Spectre Variant 2 Update was causing higher than expected reboots and other unpredictable system behavior which resulted in data loss or corruption.
Affected Operating Systems: Windows 2008 Service Pack 2, Windows 10, Windows Server 2016, Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows 8.1, Windows Server 2012 R2, Windows Server 2012
QID Detection Logic (authenticated):
Operating System: Windows 2008 Service Pack 2, Windows 10, Windows Server 2016, Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows 8.1, Windows Server 2012 R2, Windows Server 2012
The QID checks if the Spectre/Meltdown Patches have been applied on the system or not. If the patches are applied,the QID then checks if the values have seen for "FeatureSettingsOverride" and "FeatureSettingsOverrideMask" in registry hive "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" to disable Spectre Variant 2 patch.

Impact
Keeping the update enabled will lead to higher than expected reboots and other unpredictable system behavior which resulted in data loss or corruption.

QID 91429 is checking to make sure Variant 2 has been disabled. Is you have applied the fix for KB4078130, then I would first validate the server(s) have been rebooted? Second, have you performed a sanity check of the registry keys?

The QID checks if the Spectre/Meltdown Patches have been applied on the system or not. If the patches are applied,the QID then checks if the values have seen for "FeatureSettingsOverride" and "FeatureSettingsOverrideMask" in registry hive "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" to disable Spectre Variant 2 patch.

See https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

1 person found this helpful
Like • Show 0 Likes0
Actions
cdavidson Feb 6, 2018 1:30 AM
Mark Correct
Correct Answer
I would be interested to know why having the Spectre fix enabled is considered Sev 4 vulnerability? Is it simply because it can create system instability?
2 people found this helpful
Like • Show 2 Likes2
Actions
- Dan Leate @ cdavidson on Feb 6, 2018 1:41 AM
  Mark Correct
  Correct Answer
  Is there a vulnerability associated with this?
  Surely it is an informational item rather than a Sev 4?
  We have the patch enabled across our whole windows estate and have no issues with rebooting..
  Like • Show 2 Likes2
  Actions
adamc Feb 6, 2018 5:03 AM
Mark Correct
Correct Answer
I concur with the others. how is the a vulnerability and how is it a Severity 4. It should be an informational QID.

There is NO vulnerability associated with having the system patched for Variant 2. System reboots and compatibility issues with the update causing data loss and unexpected reboots is not a vulnerability. I do not look forward to briefing Qualys' poor judgement to my risk board.
2 people found this helpful
Like • Show 2 Likes2
Actions
DMFezzaReed Feb 6, 2018 10:40 AM
Mark Correct
Correct Answer
Qualys subscriptions provide the customer with the ability to edit, or disable, a QID as deemed appropriate for each customer environment. Please visit Edit Vulnerability for additional information.

Additionally, please consider the information from Microsoft and NVD. Per MS, this advisory addresses Spectre Variant 2 (CVE 2017-5715) :

1 person found this helpful
Like • Show 0 Likes0
Actions
- adamc @ DMFezzaReed on Feb 7, 2018 2:37 PM
  Mark Correct
  Correct Answer
  Thank you for the response. I do not know about others, but editing a vulnerability may not be authorized in some enterprises due to data integrity and validation standards. I also believe, I may be wrong, but if Qualys updates the QID and the modified date changes, it will cause the original value to be set back.
  
  I am still not understanding why this is a categorized as a confirmed vulnerability and why it is a severity 4.
  1 person found this helpful
  Like • Show 2 Likes2
  Actions
  - adamc @ adamc on Feb 8, 2018 9:37 AM
    Mark Correct
    Correct Answer
    Here is a great resource: Severity Levels
    
    Qualys did not follow their own guidelines in determining the severity level given to this QID.
    Like • Show 1 Like1
    Actions
    - psaux @ adamc on Feb 8, 2018 12:46 PM
      Mark Correct
      Correct Answer
      We just saw this popping up in our environment as well. I will say that after looking at the QID info the first thing that came to mind was that this was an IG and not a vuln. I am glad I am not the only one.
      1 person found this helpful
      Like • Show 1 Like1
      Actions
    - Robert Dell'Immagine @ adamc on Feb 8, 2018 1:00 PM
      Mark Correct
      Correct Answer
      I am asking our signatures team about this.
      3 people found this helpful
      Like • Show 2 Likes2
      Actions
adamc Feb 20, 2018 7:19 AM
Mark Correct
Correct Answer
Looks like Qualys changed this QID to a potential vulnerability.
3 people found this helpful
Like • Show 3 Likes3
Actions

Albert Ros May 21, 2018 1:47 AM

QID 91429 is considered a Potential Vulnerability in Scan Results now, which I think is right. But in a Patch Report it still appears as an issue so I think Qualys should be solve it.

You can solve it with an exception in your patch report or through search lists. However, I think Qualys ought to correct it.

Actions

DMFezzaReed

@ Albert Ros on May 21, 2018 1:50 PM

aros Have you Contact Support - Technical Assistance Inquiry Form | Qualys, Inc. to create a request to have the Patch Report reviewed?

Actions

Albert Ros @ DMFezzaReed on May 30, 2018 1:16 AM

Hi DMFezzaReed, I haven't done it. My last experiences with support haven't been the most successfull so I prefer no to spend my time in that. I solved it with modifications in my patch report templates. Thanks anyway.

1 person found this helpful

Actions

Dan Leate @ Albert Ros on Jun 4, 2018 4:23 AM

Another Qualys support victim!

Actions

djprakash

@ Dan Leate on Jun 5, 2018 10:43 PM

Dan, we would love to work with you and try our best to ensure you have a different opinion about support. Can you please drop an email to dj@Qxxxs.com to get started please.

Cheers,

1 person found this helpful

Actions

Dan Leate @ djprakash on Jun 6, 2018 4:03 AM

Hi Deb,

I would love you to work with me to change my opinion about Qualys support...

Unfortunately without your Dev team changing the erroneous code in your application that has been causing our RHEL hosts to incorrectly filter vulnerabilities for the last 8 months.... this will be doomed to failure.

Once this has been resolved I am happy for you to attempt to change my mind about the awful experience I have received.

Thanks Dan

Actions

djprakash

@ Dan Leate on Jun 6, 2018 4:22 AM

Hello Dan,

Please point me to the ticket and I will follow up and get back to you. Drop an email on -dj@qualys.com-

Let me find out how we can get this done at the earliest.

If it is a design or code issue with the report filter, than support can do very less as this time and Engg will have to make this work for us. Please share the ticket and I will get back with progress and timelines.

If possible, support can assist with a work-around in the meanwhile.

Cheers,

1 person found this helpful

Actions

Dan Leate @ djprakash on Jun 7, 2018 3:52 AM

One of there are many cases around the same issue, unfortunately they keep getting closed and new ones re-opened:


406157	Closed	FN for QID 45233	5/1/2018 9:10 AM	5/8/2018 10:12 AM	5/8/2018 10:12 AM	Nilesh Pawar	S3 - Medium	Vulnerability Management
308672	Closed	vulnerabilities missing on the platform	11/7/2017 2:45 AM	3/16/2018 7:45 AM	11/20/2017 2:46 AM	Arif Baig	S3 - Medium	Threat Protection
322651	Closed	Kernel vulnerabilities not showing	12/12/2017 4:32 AM	5/9/2018 9:27 AM	2/7/2018 12:34 PM	Nilesh Pawar	S3 - Medium	Vulnerability Management
342896	Closed	FP for QID 45233	1/23/2018 2:30 PM	5/8/2018 10:13 AM	5/8/2018 10:13 AM	Nilesh Pawar	S3 - Medium	Vulnerability Management
402079	Work Needed	Redhat vulnerabilities	4/18/2018 8:40 AM	6/6/2018 10:10 AM		Chetan Joshi	S3 - Medium	Vulnerability Management

Actions

Dan Leate @ djprakash on Jun 7, 2018 3:58 AM
Mark Correct
Correct Answer
If it is a design or code issue with the report filter, than support can do very less as this time and Engg will have to make this work for us.
Issue is in your application logic, not only have I identified it but I have told your Engineering and Dev team how to fix it.... however they have been on this for 5 months now.. SLA's???
Please share the ticket and I will get back with progress and timelines.
Tickets are below as far as I can tell progress is non existent, timeline so far has been 8 months and counting! seriously SLA's?

If possible, support can assist with a work-around in the meanwhile,
Support couldn't come up with a work-around in the meanwhile.. I had to do that myself (with 0 help from support).

Thanks for trying to do the right thing but you are poking a bear with a sore tooth here..
Like • Show 0 Likes0
Actions

Joe Gregory @ Albert Ros on Jun 4, 2018 12:45 PM
Unmark Correct
Correct Answer
Hi Albert,

QID 91429 is being deprecated after reviewing customer feedback. Ultimately, this will be tracked via an 'Information Gathering' QID 91451 going forward. QID 91451 is already in circulation and should be showing on your recent scan reports.

Please see below the current message shown in the KB for QID 91429.

2 people found this helpful
Like • Show 1 Like1
Actions
- Albert Ros @ Joe Gregory on Jun 5, 2018 1:26 AM
  Mark Correct
  Correct Answer
  Hi JGregory, I see QID 91451 as Information Gathered insteod of QID 91429 as Vulnerability. I guess in June 20 it also will disappear from Patch Reports.
  Thanks for the information.
  1 person found this helpful
  Like • Show 1 Like1
  Actions

ds0101 Jun 5, 2018 7:40 AM
Mark Correct
Correct Answer
Since this QID 91429 has been deprecated, shouldn't Qualys also auto-close any tickets that were created because of it? I don't see this as being the case in my setup and I'm afraid that if there are any other deprecated QID's we might be missing them and trying to resolve them.
Like • Show 1 Like1
Actions
- Joe Gregory @ ds0101 on Jun 5, 2018 10:13 AM
  Mark Correct
  Correct Answer
  Once this QID is deprecated (June 20th), you simply need to scan the asset again. When that scan is processed, all relevant tickets will close and host-based reporting will be updated.
  
  The QID will still exist in the KB, in case you have any need to go back and review the QID details.
  2 people found this helpful
  Like • Show 2 Likes2
  Actions

Incoming Links

Re: Spectre and Meltdown solution

Microsoft Windows Spectre Variant 2 Patch is Enabled (KB4078130)

Outcomes

Related Content

Recommended Content

Incoming Links