KB5029778: How to manage the vulnerability associated with CVE-2022-40982
Introduction
Microsoft is aware of a new transient execution attack named gather data sampling (GDS) or "Downfall." This vulnerability could be used to infer data from affected CPUs across security boundaries such as user-kernel, processes, virtual machines (VMs), and trusted execution environments.
For more information about this vulnerability, see INTEL-SA-00828 security advisory and CVE-2022-40982.
Mitigate the vulnerability
IMPORTANT The mitigation described in this article is Enabled by default with the option to disable it. We recommend that you mitigate the vulnerability as soon as possible.
Note Intel’s latest products including Alder Lake, Raptor Lake, and Sapphire Rapids, have defense-in-depth measures in place and are not affected by this vulnerability.
To mitigate the vulnerability associated with CVE-2023-40982, install the Intel Platform Update (IPU) 23.3 microcode update. Typically, you need to obtain this update from your original equipment manufacturer (OEM). For a list of OEMs, see System Manufacturers. No further action to mitigate the vulnerability is required.
IMPORTANT We continue to work with Intel on their Gather Data Sample (GDS) Microcode and CPU support. Please refer to Intel for the most up-to-date information on GDS related Microcode and Firmware support from OEMs.
Disable the mitigation
If you do not consider GDS to be part of your threat model, you might choose to turn off (disable) the mitigation in a bare-metal environment.
Note Disabling the mitigation when Hyper-V (Virtualization) is enabled is not in scope of this current implementation.
To disable the GDS mitigation in Windows, you must have the following installed, as appropriate for your environment:
After the appropriate Windows update is installed, you must set the following feature flag in the registry:
- On supported Windows 10 and Windows 11 environments, you must have installed the Windows update dated on or after August 22, 2023.
KB5029331 Windows 10 Cumulative Update Preview Build 19045.3393 (22H2)
UUP Dump: 32-bit ISO download: Select language for Feature update to Windows 10, version 22H2 (19045.3393) x86 - UUP dump 64-bit ISO download: Select language for Feature update to Windows 10, version 22H2 (19045.3393) arm64 - UUP dump ARM64 ISO download:www.tenforums.com
KB5029351 Windows 11 Cumulative Update Preview Build 22621.2215 (22H2)
UPDATE 9/12: https://www.elevenforum.com/t/kb5030219-windows-11-cumulative-update-build-22621-2283-22h2.17886/ Microsoft Support: August 22, 2023 - KB5029351 (OS Build 22621.2215) Preview For information about Windows update terminology, see the article about the types of Windows updates and...www.elevenforum.com
- On supported Windows Server environments, you must have installed the Windows update dated on or after September 12, 2023.
Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Value name: FeatureSettingsOverride
Value type: REG_DWORD
Value data: 0x2000000 (hex)
If this registry value does not already exist, run the following command to disable the GDS mitigation:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 33554432 /f
References
Gather Data Sampling Technical Paper
Threat Analysis Assessment for GDS Paper
Gather Data Sampling Performance Data Analysis Paper
Intel Security Advisory: INTEL-SA-00828
Source:
Last edited:
