T
tutu_312
Windows 10 Hyper-V enables vEthernet adapters, which are bound to RDMA by default, and which cannot be disabled or modified. Any modification of these adapters, and their settings is reverted on reboot. If RDMA bindings cannot be disabled on vEthernet, and if Microsoft has not implemented Throwhammer mitigation, this may open Device Guard enabled systems up to Throwhammer related vulnerabilities [1], unless and until Microsoft has introduced appropriate software mitigations. My question is, has Microsoft addressed Throwhammer vulnerabilities in Hyper-V virtual ethernet adapters?
Microsoft, please make user generated vEthernet adapter binding customizations permanent, instead of reverting them to defaults on boot. Two potential attack surface risks become present: the NetBIOS/LLMNR binding is permanently enabled opening users to NetBIOS/LLMNR poisoning/spoofing attacks, RDMA is permanently enabled potentially exposing people to Throwhammer [2], and any adapter customizations are reset to default upon reboot.
I found a definitive solution to disable vEthernet, unless and until Microsoft fixes these hyper-v security flaws. Simply disable DNS Client and use a better third party DNS client. My solution works, even with Hyper-V enabled. Many of us don't want to disable Hyper-V security, and nothing else allowed me to disable vEthernet in Windows 10 2004. Everything is replaced on reboot, even netbios settings and RDMA which increase attack surface, (by vulnerabilities like throwhammer, unless hyper-v has implemented inbuilt mitigations) and its a pain to configure potentially hundreds of adapters every single time. Even automating with Nvspbind all settings revert on reboot. One way to disable these adapters literally once and for all is to disable "DNScache" aka "Dns Client" service and use a third-party DNS service such as Acrylic , or SimpleDNSCrypt. Be sure to comb through Acrylics configuration with a fine toothed comb because initially your default DNS provider will automatically be set to google or cloudflare. Then point acrylic to your router IP, or preferred DNS server, and set all your adapters DNS settings to 127.0.0.1.
You must disable DNSCache with regedit, here Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache
Set startup to 4, and reboot.
Aside from EventViewer errors clouding up the logs, The only minor caveat is you may see a single adapter constantly and briefly appearing and disappearing under Control Panel\Network and Internet\Network Connections and your device manager window may constantly refresh each time it attempts to install adapters. Another caveat is that initially loading the windows store you will get an error, unless you have previously opened the store with DNScache enabled. After that the store will work indefinitely unless you reset it. Not a big price to pay given how annoying this is, this actually works.
Continue reading...
Microsoft, please make user generated vEthernet adapter binding customizations permanent, instead of reverting them to defaults on boot. Two potential attack surface risks become present: the NetBIOS/LLMNR binding is permanently enabled opening users to NetBIOS/LLMNR poisoning/spoofing attacks, RDMA is permanently enabled potentially exposing people to Throwhammer [2], and any adapter customizations are reset to default upon reboot.
I found a definitive solution to disable vEthernet, unless and until Microsoft fixes these hyper-v security flaws. Simply disable DNS Client and use a better third party DNS client. My solution works, even with Hyper-V enabled. Many of us don't want to disable Hyper-V security, and nothing else allowed me to disable vEthernet in Windows 10 2004. Everything is replaced on reboot, even netbios settings and RDMA which increase attack surface, (by vulnerabilities like throwhammer, unless hyper-v has implemented inbuilt mitigations) and its a pain to configure potentially hundreds of adapters every single time. Even automating with Nvspbind all settings revert on reboot. One way to disable these adapters literally once and for all is to disable "DNScache" aka "Dns Client" service and use a third-party DNS service such as Acrylic , or SimpleDNSCrypt. Be sure to comb through Acrylics configuration with a fine toothed comb because initially your default DNS provider will automatically be set to google or cloudflare. Then point acrylic to your router IP, or preferred DNS server, and set all your adapters DNS settings to 127.0.0.1.
You must disable DNSCache with regedit, here Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache
Set startup to 4, and reboot.
Aside from EventViewer errors clouding up the logs, The only minor caveat is you may see a single adapter constantly and briefly appearing and disappearing under Control Panel\Network and Internet\Network Connections and your device manager window may constantly refresh each time it attempts to install adapters. Another caveat is that initially loading the windows store you will get an error, unless you have previously opened the store with DNScache enabled. After that the store will work indefinitely unless you reset it. Not a big price to pay given how annoying this is, this actually works.
Continue reading...