Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, July 10, 2020 11:18 AM
This is important for the infrastructure of the internet and cloud services remain vulnerable to this attack, as far as I understand. Nobody has dis-proven this to me. Its possible unprivileged attackers may be able to compromise systems locally as well as remotely with throwhammer.
Windows 10 Hyper-V's "default switch" adapter is bound to RDMA by default and disabling it is not persistent after reboot.
If RDMA bindings cannot be disabled on vEthernet, and if Microsoft has not implemented appropriate mitigations, this may open Device Guard enabled systems up to Throwhammer related vulnerabilities [1], unless and until Microsoft has introduced appropriate software mitigations. Has Microsoft addressed Throwhammer vulnerabilities in Windows 10?
Microsoft, please offer users an option to make user "default switch" adapter binding customizations permanent, instead of reverting them to default on boot. Two potential attack surface risks become present: the NetBIOS/LLMNR binding is permanently enabled opening users to possible NetBIOS/LLMNR poisoning/spoofing attacks, RDMA is permanently enabled potentially exposing people to Throwhammer [2], plus any customization's are reset to default upon reboot.
I have found the only solution: disable "DNSCache" aka DNS Client, and use a better third party DNS service such as Acrylic or Simple DNS Crypt, problem solved. If you use windows store, you must open windows store at least once prior to disabling DNScache, otherwise you will get an error, the same will happen upon resetting the store.
To automate the disabling of RDMA on vEthernet and Ethernet adapters, use nvspbind. Here is a batch file template for automating the hardening process https://pastebin.com/TgHt4Gc1, as a result users don't need to change individual adapter properties manually via gui, (like disabling netbios/ipv6/RDMA). This could also be used as a scheduled task at boot to make all Ethernet and vEthernet binding changes permanent, even with new adapters.
================================================================
Google fixed similar issues on their android devices:
How Google Mitigated the Drammer-like DMA based Rowhammer Attacks?
In 2016, after the details of the Drammer attack went public, Google pushed an update for Android devices that disabled one of the ION's component (kmalloc heap) responsible for contiguous memory allocations, in an attempt to mitigate the risk of 'deterministic' exploitation of the Rowhammer vulnerability. They did a whole lot more:
All replies (3)
Monday, July 13, 2020 2:01 AM | 1 vote
Thanks for your sharing and feedback, I agree with your idea: disable DNS Client and use a third-party DNS service, this way is feasible.
As you said, I don’t find any Microsoft official document talking about Throwhammer in Hyper-V, general device guard and credential guard documents don’t mentioned Throwhammer.
However, please understand that TechNet forum cannot provides more support about this topic, we can only help you to feedback this request. For deep research or consult, you need to open a support ticket with Microsoft.
Also, feedback to Microsoft via Windows built-in Feedback Hub app is another way.
Regards
"Windows 10 Installation, Setup, and Deployment" forum will be migrating to a new home on Microsoft Q&A (Preview)!
We invite you to post new questions in the "Windows 10 Installation, Setup, and Deployment" forum’s new home on Microsoft Q&A (Preview)!
For more information, please refer to the sticky post.
Sunday, July 19, 2020 1:35 PM
Thank you dearly, I appreciate your response and have since found a cleaner way of dealing with this vethernet problem,
create scheduled task: trigger at log on, logon of any user, user NT Authority\System starts a program (hidden):
"C:\Users\YOU\Desktop\Scheduled Task Fix Windows 404449304\stop_vethernet.bat"
batch file contents:
netsh interface set interface "vEthernet (Ethernet)" DISABLED
get the list of vethernet adapters in powershell via:
Get-NetAdapter -name vE*
Problem solved.
Friday, July 31, 2020 7:42 AM | 1 vote
Glad to hear this issue has been solved. Thanks for sharing, hope your experience will help other community members facing similar problems.
Please mark the reply as an answer if you find it is helpful.