VMware has published new security advisories, knowledge base articles, updates and tools in response to newly disclosed speculative-execution vulnerabilities on Intel CPUs — collectively as “L1 Terminal Fault” — that can occur on Intel processors made from 2009 to 2018.
I’m going to outline our response to this issue, and make an attempt to summarize this complex event as best as I can. I would highly suggest reading through the linked articles as they’ll be more extensive and evolving.
Because this is complex, and evolving, to properly respond to these issues, consider KB55636 as the centralized source of truth from VMware.
Like the previously known Meltdown, Rogue System Register Read, and “Lazy FP state restore” vulnerabilities, the “L1 Terminal Fault” vulnerability can be exploited when affected Intel microprocessors speculate beyond an unpermitted data access.
L1TF – VMM (CVE-2018-3646 | VMSA-2018-0020)
This is the specific L1TF issue that affects the vSphere/ESXi hypervisor. It has two known attack vectors, both of which need to be mitigated. The first attack vector is mitigated through patches for both vCenter and ESXi.
The second attack vector is mitigated by enabling a new advanced configuration option (hyperthreadingMitigation) included in the updates. However, this advanced configuration option may have a performance impact so we have not be enabled it by default. This will limit operational risk by giving you time to analyze the effects prior to enabling.
There are new updates to both vCenter and ESXi that deliver the mitigation to L1TF:
- vCenter 6.7.0d, 6.5u2c, 6.0u3h, and 5.5u3j
- ESXi670-20180840x, ESXi650-20180840x, ESXi600-20180840x, and ESXi550-20180840x
There are also new versions of VMware Workstation (14.1.3) and Fusion (10.1.3) which address this issue.
L1TF – OS (CVE-2018-3620)
This is a local privilege escalation which requires base operating system updates for mitigation. Patches are pending for affected VMware appliances. Make sure you contact your operating system vendor(s) (Microsoft, Oracle, Red Hat, etc) for mitigation instructions in guest virtual machines as well.
L1TF – SGX (CVE-2018-3615)
This does not affect VMware products.