VMware

Spectre/Meltdown patches on VM’s that has a server without bios/firmware updated.

Hi!
If I have a server that is NOT updated with the newest firmware/bios that runs esxi 6.7 and some virtual machines on it (windows).

Would I still be able to implement the spectre and meltdown patches and activate them? or do I need the bios updated first?



View Reddit by VooDooMan85View Source

 

To see the full content, share this page by clicking one of the buttons below

Related Articles

5 Comments

  1. I think the threat is overblown and we decided not to implement it. Unless you’re a cloud VM provider, there’s zero risk for you. It’s extremely difficult to exploit those vulnerabilities, and requires kernel level access to a guest VM. If someone already has that access in my environment, then they are already well inside.

    The patches also have the side effect of a 10% performance hit across the board.

  2. * Patch ESXi. It will do the microcode updates of the host systems if you have those patches in the baseline.
    * Patch Windows.
    * Power off VM.
    * Upgrade VM Hardware version.
    * Power on VM.
    * Confirm with powershell. (https://gallery.technet.microsoft.com/scriptcenter/Speculation-Control-e36f0050)

    ~~iirc, all VMs on a host, or in the cluster, must be up to the correct hardware version (10+) for the remediations to be fully in place.~~ Edit : From my notes : After the VMHosts have been updated, every VM in a cluster must be powered off, and VM hardware version must be at level 9.

    If you want more detail, PM me an email address and I’ll send you the full writeup I did, formatted and linked/referenced.

  3. It depends. Generally speaking you need the bios update on the server, the update the supports it esxi and the OS patch. Also in the case of Windows server variant 2 remediation is disabled by default and you have to flip a reg key to enable it (and take the performance hit at the same time).

  4. Aslo I’m not sure if I should use:

    reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

    reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 8 /f

    reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

    ​

    Which is the most secure? ^^

    ​

    ​

    EDIT: Seems to be /d 72

Leave a Reply