Loading Posts...

[Updated] L1 Terminal Fault – New Class Of CPU Speculative-Execution Vulnerabilities

On Tuesday, 14th of August Intel has disclosed the new class of CPU speculative-execution vulnerability called “L1 Terminal Fault”. This new class of vulnerabilities can occur on current and past Intel processors (from at least 2009 – 2018) when affected Intel microprocessors are speculating beyond an unpermitted data access. By continuing the speculation in these cases, the affected Intel microprocessors expose a new side-channel for attack, allowing a malicious VM to infer data in the hypervisor and other VM’s running on a core.There are three vulnerabilities have been named: 

  • CVE-2018-3646 (L1 Terminal Fault – VMM)
  • CVE-2018-3620 (L1 Terminal Fault – OS)
  • CVE-2018-3615 (L1 Terminal Fault – SGX, SMM) : VMware products does not affect with this
The most severe of the three vulnerabilities (CVE-2018-3646: L1 Terminal Fault – VMM) impacts all hypervisors running on x86 Intel CPUs, including VMware vSphere, VMware Workstation and VMware Fusion. As a consequence, our services that use these products (including VMware Cloud on AWS and VMware Horizon Cloud), and our VMware Cloud Provider Program partner environments are impacted.VMware’s top priority is protecting and ensuring the security of your data and systems. VMware has been working closely with industry partners such as Intel and others to assess the issue and determine the most effective update and/or patch in conjunction with our partners. A knowledge base (KB) article https://kb.vmware.com/kb/55636 has been created as the centralized source of information for this issue.

Mitigation of these Vulnerabilities Fall in to two categories :

  • Hypervisor -Specific Mitigations
  • Operating System Mitigations 

This KB provides links to additional KBs with detailed mitigation processes for each of the attack vectors identified by the L1 Terminal Fault vulnerabilities.VMware encourage you to sign up on their Security Announce Mailing List to receive new and updated Security advisories. Protect Your Environment From ( VMSA-2018-0020 ) – Hypervisor Specific Mitigation for L1 Terminal Fault – VMM Vulnerability Make sure to apply patches mentioned in the Security Advisory VMSA-2018-0020 as shown in the below table. 

L1 Terminal Fault : Versions

Hypervisor Specific Mitigation Steps

CVE-2018-3646 has two currently known attack vectors for hypervisors which will be referred to here as “Sequential-Context” and “Concurrent-Context.”

Sequential-Context and Concurrent-Context must be addressed to mitigate the CVE-2018-3646

  • Sequential-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core.
  • Concurrent-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the hyperthreading-enabled processor core.

Sequential-Context Attack Vector Mitigation

Patching the vCenter server and the ESXi hosts to the given versions will mitigate this Security issue and this mitigation is enabled by default and does not impose a significant performance impact.

Patch your vCenter Servers to get the below recommended versions:

  • vCenter 6.7.0d
  • vCenter 6.5u2c
  • vCenter 6.0u3h
  • vCenter 5.5u3j
Check and confirm the updated build numbers of the vCenter and the ESXi

L1 Terminal Fault : VC
L1 Terminal Fault : 6.5 build version

 

vCenter build versions can be found in this Knowledge Base article. Patch your ESXi Servers to apply the below patches. 

  • ESXi 6.7 
    • ESXi670-201808401-BG (esx-base)
    • ESXi670-201808402-BG (microcode)
    • ESXi670-201808403-BG (esx-ui)
  • ESXi 6.5 
    • ESXi650-201808401-BG (esx-base)
    • ESXi650-201808402-BG (microcode)
    • ESXi650-201808403-BG (esx-ui)
  • ESXi 6.0 
    • ESXi600-201808401-BG (esx-base)
    • ESXi600-201808402-BG (microcode)
    • ESXi600-201808403-BG (esx-ui)
  • ESXi 5.5
    • ESXi550-201808401-BG (esx-base)
    • ESXi550-201808402-BG (microcode)
    • ESXi550-201808403-BG (esx-ui)
  • VMware Workstation Pro 14.1.3
  • VMware Fusion Pro 10.1.3
Confirm the Patch versions after the patch upgrade of the ESXi hosts with the VMware Patch repositoryL1 Terminal Fault : ESXi Version

L1 Terminal Fault : Patch version

Even though after the vCenter and ESXi upgrades to the latest versions still it shows the warning it because, we have completed the first phase of the mitigation which is applying the patches and now we have taken the mitigation steps to Sequential-Context Attack Vector.

L1 Terminal Fault : After the upgrade

Note: If you are upgrading the ESXi hosts using Update Manager make sure to download and check whether you are covered with the latest Patches released.

L1 Terminal Fault : Patch Repo

Concurrent-context Attack Vector Mitigation

This mitigation requires a new feature enablement called “ESXi Side-Channel-Aware Scheduler” and please note that this feature may impose a non-trivial performance impact and is not enabled by default. Installing above patches will enable the “ESXi Side-Channel-Aware Scheduler and we need to enable this manually and make sure to think about the performance of your environment before you enable this in your ESXis. 

The following identified potential problems are published by VMware: 

  • VMs configured with vCPUs greater than the physical cores available on the ESXi host
  • VMs configured with custom affinity or NUMA settings
  • VMs with latency-sensitive configuration
  • ESXi hosts with Average CPU Usage greater than 70%
  • Hosts with custom CPU resource management options enabled
  • HA Clusters where a rolling upgrade will increase Average CPU Usage above 100%

Three Mitigation Phases Have Been Introduced By VMware To Address These Security Contexts 

Note: ” It may be necessary to acquire additional hardware, or rebalance existing workloads, before enablement of the ESXi Side-Channel-Aware Scheduler. Organizations can choose not to enable the ESXi Side-Channel-Aware Scheduler after performing a risk assessment and accepting the risk posed by the Concurrent-context attack vector. This is NOT RECOMMENDED and VMware cannot make this decision on behalf of an organization.”

Enable ESXi Side-Channel Aware Scheduler

Using vCenter Server 

Login to the vCenter Server and Select the ESXi Host and follow the below Steps to Edit the Parameter ( You have to apply the above patches in order to see these advanced parameters in your ESXi Advanced Parameter List

L1 Terminal Fault : VC1

Enable the VMkernel.Boot.hyperthreadingMitigation parameter 

L1 Terminal Fault : enable parameter

Using ESXi Host Client 

Access the ESXi Host Client using your web browser (https://<host_IP_address/ui)

Follow the below steps to enable the VMkernel.Boot.hyperthreadingMitigation Advanced Setting Parameter 

Set the Value true 

Using esxcli commands

Open a ssh Session to the host and run below command to view the configuration status of the Advanced Setting 

Values should be zero as per the below screen capture and run this command to enable the setting and reboot the host 

Again, Enablement of this scheduler may impose a non-trivial performance impact on applications running in a vSphere environment and planning must be taken in to the consideration prior to enabling these settings. 

If you found this post as useful please rate the post and share it!

[Updated] L1 Terminal Fault – New Class Of CPU Speculative-Execution Vulnerabilities
5 (100%) 7 votes

Aruna Lakmal

Senior Virtualization Engineer at Pearson, Sri Lanka. Technology junky, enthusiast, a VMware vExpert and a blogger with more than 6 years of Experience in Information Technology more focusing on VMware Virtualization, Microsoft and Datacenter Technologies.

Get Updates Directly To Your Inbox!

   

Leave a Reply

Loading Posts...