I can't enable the Meltdown/Spectre mitigations in Windows Server 2008 R2

update windows-server-2008-r2 vulnerabilities

Firstly the above output is saying that the required windows patch has not been installed:

Speculation control settings for CVE-2017-5715 [branch target injection]

Windows OS support for branch target injection mitigation is present: False

and

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Windows OS support for kernel VA shadow is present: False

Is your AV preventing it? - see here

Secondly CVE-2017-5715 will also require a CPU Microcode update which means a BIOS update when/if it becomes available. Intel have apparently released the code but it's down to OEMs to provide updated BIOS's that incorporate it and that may take a while.

All you can do right now is install the Windows patch. Once the correct patch is installed you should be covered for Meltdown but will still need a subsequent BIOS update to fully cover off Spectre.

FYI here is the output for my (patched) windows 10 system:

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: False

You will note that for CVE-2017-5715 it shows that the patch is installed but not enabled due to "absence of hardware support" i.e. the microcode update.

You will also note that for CVE-2017-5754 it simply says that it's not required - this is because I'm running on an AMD CPU.

As for your side note, I can't say for sure without testing but if you look closely, for disable the FeatureSettingsOverride key is being set to 3, not 0 as is required to enable it so I assume that you need the same mask for both but either a 0 (enable) or 3 (disable) for the FeatureSettingsOverride key.


CVE-2017-5715 looks right to me in the absence of a firmware update however CVE-2017-5754 is now showing as installed but disabled. Have you checked what the enabler registry keys are set to?

I've also just noted that CVE-2017-5715 is also showing as disabled by system policy as well as by absence of hardware support which also suggests the registry settings are wrong.


There are 3 registry keys, not two. See here:

https://support.microsoft.com/en-gb/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

You're missing this one:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

Related

Wchan section in ps output not showing anything
nginx load balancing issue with 301 from backend
In-place upgrade from Windows Server 2012 Foundation to Windows Server 2012 Standard
nginx reverse proxy folder
Do Pacemaker, Heartbeat, etc. make sense for EC2?
How to convert 'w3wp' process names to PIDs or usernames? (i.e.- "w3wp#29)
Debian 8 AMI only using 8GB partition
Can I restart a side mission?
How does dual wielding affect skills which depend on "weapon DPS?"
What can SCVs Repair?
Does playing non-shareable games prevent sharing?
Can I use the soldier's old v_model hand instead of the c_model in TF2?