CVE-2018-3639 OS solution

First of all, CVE-2018-3639 is Speculative Store Bypass .And it’s solution include CPU microcode upgrade and OS software upgrade.

CPU microcode is fixed by BIOS vendor , you can get the BIOS file from its vendor .OS update is released by OS vendor, it’s easy to get it from the internet.

Windows:

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

Manage Speculative Store Bypass and mitigations around Spectre Variant 2 and Meltdown

Applies to: Windows Server 2016 Version 1803 (Server Core), Windows Server 2016 Version 1709 (Server Core), Windows Server 2016, Windows Server 2008 R2 SP1

  • Enable mitigations around Speculative Store Bypass (CVE-2018-3639) together with mitigations around Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) through the following registry settings (because they are not enabled by default).Note These registry changes require administrative rights and a restart.

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 8 /f

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

 

  • Disable mitigations around Speculative Store Bypass (CVE-2018-3639) together with mitigations around Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) through the following registry settings.
     

    reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

    reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

  • Note These registry changes require administrative rights and a restart.

use the SpectreMeltdownCheck.exe to check ,system is safe.

https://www.ashampoo.com/en/usd/pin/1304/security-software/spectre-meltdown-cpu-checker

 

 

Linux:

RHEL: https://access.redhat.com/security/vulnerabilities/ssbd

SLES: https://www.suse.com/support/kb/doc/?id=7022937

x86 processors from Intel and AMD offer Model Specific Registers(MSRs) which can be used to enable/disable the Speculative Store Bypass function. Using these MSRs, the new kernel updates offer the following kernel command line parameters:

  • spec_store_bypass_disable=[auto/on/off/prctl]
    default: auto

    • auto: when booting with this option, the kernel detects if the processor supports the Speculative Store Bypass(SSB) function, and selects appropriate mitigation.
    • on: It turns the Speculative Store Bypass mitigation ON. The processor will not speculatively execute load(read) instructions, before all store(write) addresses are resolved.
    • off: It turns the Speculative Store Bypass mitigation OFF. The processor will use the memory disambiguator function to speculatively execute load(read) instructions before earlier store(write) instructions.
    • prctl: It enables the Speculative Store Bypass mitigation on a per-thread basis using the prctl(2) interface.
  • nospec_store_bypass_disable:
    Disable all mitigations for the Speculative Store Bypass vulnerability.

The kernel update also adds support for the sysfs interface to report if the system processor is vulnerable to the Speculative Store Bypass issue and if corresponding mitigations are in place.

  • # cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass

use spectre-meltdown-checker.sh to check , system is safe.

https://github.com/speed47/spectre-meltdown-checker