VMSA-2018-0020

VMware vSphere, Workstation, and Fusion updates enable Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM vulnerability.

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
 VMSA-2018-0020
VMware Security Advisory Severity:
 Important
VMware Security Advisory Synopsis:
 VMware vSphere, Workstation, and Fusion updates enable Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM vulnerability.
VMware Security Advisory Issue date:
2018-08-14
VMware Security Advisory Updated on:
2018-08-14 (Initial Advisory)
VMware Security Advisory CVE numbers:
CVE-2018-3646
 
1. Summary

VMware vSphere, Workstation, and Fusion updates enable Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM vulnerability.

 

The mitigations in this advisory are categorized as Hypervisor-Specific Mitigations described by VMware Knowledge Base article 55636.

 

2. Relevant Products
  • VMware vCenter Server (VC)
  • VMware vSphere ESXi (ESXi)
  • VMware Workstation Pro / Player (WS)
  • VMware Fusion Pro / Fusion (Fusion)   
 
3. Problem Description

vCenter Server, ESXi, Workstation, and Fusion updates include Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM. This issue may allow a malicious VM running on a given CPU core to effectively read the hypervisor’s or another VM’s privileged information that resides sequentially or concurrently in the same core’s L1 Data cache.


The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-3646 to this issue.

 

CVE-2018-3646 has two currently known attack vectors which will be referred to as "Sequential-Context" and "Concurrent-Context."

 

Attack Vector Summary

  • Sequential-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core.
  • Concurrent-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the Hyper-Threading enabled processor core

Mitigation Summary

  • The Sequential-context attack vector is mitigated by a vSphere update to the product versions listed in the table below. This mitigation is dependent on Intel microcode updates (provided in separate ESXi patches for most Intel hardware platforms) also listed in the table below. This mitigation is enabled by default and does not impose a significant performance impact.
  • The Concurrent-context attack vector is mitigated through enablement of a new feature known as the ESXi Side-Channel-Aware Scheduler. This feature may impose a non-trivial performance impact and is not enabled by default.

Column 5 of the following table lists the action required to mitigate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running On Severity Replace_with/Apply_Patch Mitigation/Workaround
VC 6.7 Any Important 6.7.0d None
VC 6.5 Any Important 6.5u2c None
VC 6.0 Any Important 6.0u3h None
VC 5.5 Any Important 5.5u3j None
ESXi 6.7 Any Important ESXi670-201808401-BG*
ESXi670-201808402-BG**
ESXi670-201808403-BG*		 None
ESXi 6.5 Any Important ESXi650-201808401-BG*
ESXi650-201808402-BG**
ESXi650-201808403-BG*		 None
ESXi 6.0 Any Important ESXi600-201808401-BG*
ESXi600-201808402-BG**
ESXi600-201808403-BG*		 None
ESXi 5.5 Any Important ESXi550-201808401-BG*
ESXi550-201808402-BG**
ESXi550-201808403-BG*		 None
WS 14.x Any Important 14.1.3* None
Fusion 10.x Any Important 10.1.3* None

*These patches DO NOT mitigate the Concurrent-context attack vector previously described by default. For details on the three-phase vSphere mitigation process please see KB55806 and for the mitigation process for Workstation and Fusion please see KB57138.

 
**These patches include microcode updates required for mitigation of the Sequential-context attack vector. This microcode may also be obtained from your hardware OEM in the form of a BIOS or firmware update. Details on microcode that has been provided by Intel and packaged by VMware is enumerated in the patch KBs found in the Solution section of this document.

4. Solution
 

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

 

vCenter 6.7.0d

Downloads:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_7
Documentation:

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-670d-release-notes.html

 

vCenter 6.5u2c

Downloads:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_5

Documentation:

https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u2c-release-notes.html

 

vCenter 6.0u3h

Downloads:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_0

Documentation:

https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u3h-release-notes.html

 

vCenter 5.5u3j

Downloads:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_5

Documentation:

https://docs.vmware.com/en/VMware-vSphere/5.5/rn/vsphere-vcenter-server-55u3j-release-notes.html

 

ESXi 6.7

Downloads:

https://my.vmware.com/group/vmware/patch

Documentation:

ESXi670-201808401-BG (esx-base): https://kb.vmware.com/kb/56537

ESXi670-201808402-BG (microcode): https://kb.vmware.com/kb/56538

ESXi670-201808403-BG (esx-ui): https://kb.vmware.com/kb/56897

 

ESXi 6.5

Downloads:

https://my.vmware.com/group/vmware/patch

Documentation:

ESXi650-201808401-BG (esx-base): https://kb.vmware.com/kb/56547

ESXi650-201808402-BG (microcode): https://kb.vmware.com/kb/56563

ESXi650-201808403-BG (esx-ui): https://kb.vmware.com/kb/56896

 

ESXi 6.0

Downloads:

https://my.vmware.com/group/vmware/patch

Documentation:

ESXi600-201808401-BG (esx-base): https://kb.vmware.com/kb/56552

ESXi600-201808402-BG (microcode): https://kb.vmware.com/kb/56553

ESXi600-201808403-BG (esx-ui): https://kb.vmware.com/kb/56895

 

ESXi 5.5

Downloads:

https://my.vmware.com/group/vmware/patch

Documentation:

ESXi550-201808401-BG (esx-base): https://kb.vmware.com/kb/56557

ESXi550-201808402-BG (microcode): https://kb.vmware.com/kb/56558

ESXi550-201808403-BG (esx-ui): https://kb.vmware.com/kb/56894

 

VMware Workstation Pro 14.1.3

Downloads:

https://www.vmware.com/go/downloadworkstation

Documentation:

https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

 

VMware Fusion Pro 10.1.3

Downloads:

https://www.vmware.com/go/downloadfusion

Documentation:

https://docs.vmware.com/en/VMware-Fusion/index.html

 

5. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646

https://kb.vmware.com/kb/55636

https://kb.vmware.com/kb/55806

https://kb.vmware.com/kb/57138

 

6. Change log

 

2018-08-14: VMSA-2018-0020
Initial security advisory in conjunction with vSphere, Workstation, and Fusion updates and patches released on 2018-08-14.

7. Contact

 

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com

  bugtraq@securityfocus.com

  fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

https://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2018 VMware Inc. All rights reserved.