1. Impacted Products

• VMware vCenter Server (VC)
• VMware vSphere ESXi (ESXi)
• VMware Workstation Pro / Player (WS)
• VMware Fusion Pro / Fusion (Fusion)
• vCloud Usage Meter (UM)
• Identity Manager (vIDM)
• vCenter Server (vCSA)
• vSphere Data Protection (VDP)
• vSphere Integrated Containers (VIC)
• vRealize Automation (vRA)

2. Introduction
 

Intel has disclosed details on speculative-execution vulnerabilities known collectively as “Microarchitectural Data Sampling (MDS)" that can occur on Intel microarchitecture prior to 2nd Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake). These issues may allow a malicious user who can locally execute code on a system to infer data otherwise protected by architectural mechanisms.
 

There are four uniquely identifiable vulnerabilities associated with MDS:

• CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS) - CVSSv3 = 6.5
• CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVSSv3 = 6.5
• CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS) - CVSSv3 = 6.5
• CVE-2019-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM) - CVSSv3 = 3.8

To assist in understanding speculative-execution vulnerabilities, VMware previously defined the following mitigation categories:

• Hypervisor-Specific Mitigations prevent information leakage from the hypervisor or guest VMs into a malicious guest VM. These mitigations require code changes for VMware products.
• Hypervisor-Assisted Guest Mitigations virtualize new speculative-execution hardware control mechanisms for guest VMs so that Guest OSes can mitigate leakage between processes within the VM. These mitigations require code changes for VMware products.
• Operating System-Specific Mitigations are applied to guest operating systems. These updates will be provided by a 3rd party vendor or in the case of VMware Virtual Appliances, by VMware.
• Microcode Mitigations are applied to a system’s processor(s) by a microcode update from the hardware vendor. These mitigations do not require hypervisor or guest operating system updates to be effective.
   

MDS vulnerabilities require Hypervisor-Specific Mitigations (described in section 3a.) Hypervisor-Assisted Guest Mitigations (described in section 3b.) and Operating System-Specific Mitigations (described in section 3c.)
 

3a. Hypervisor-Specific Mitigations for MDS vulnerabilities - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091

Description:
 

vCenter Server, ESXi, Workstation, and Fusion updates include Hypervisor-Specific Mitigations for MDS speculative execution vulnerabilities. VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.
 

Known Attack Vectors:
 

A malicious user must have local access to a virtual machine and the ability to execute code to infer data otherwise protected by architectural mechanisms from another virtual machine or the hypervisor itself via MDS vulnerabilities.
 

There are two known attack vector variants for MDS at the Hypervisor level:

• Sequential-context attack vector (Inter-VM): a malicious VM can potentially infer recently accessed data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core.
• Concurrent-context attack vector (Inter-VM): a malicious VM can potentially infer recently accessed data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the Hyper-Threading-enabled processor core.

Resolution:

• The Sequential-context attack vector (Inter-VM): is mitigated by a Hypervisor update to the product versions listed in the table below. These mitigations are dependent on Intel microcode updates (provided in separate ESXi patches for most Intel hardware platforms) listed in the table below. This mitigation is enabled by default and does not impose a significant performance impact.
• The Concurrent-context attack vector (Inter-VM): is mitigated through enablement of the ESXi Side-Channel-Aware Scheduler Version 1 or Version 2. These options may impose a non-trivial performance impact and are not enabled by default.

Workarounds:

• There are no known Hypervisor-Specific workarounds for the MDS class of vulnerabilities.

Additional Documentation:

• vSphere: KB67577 should be thoroughly reviewed to ensure a strong understanding of the Hypervisor-Specific Mitigations enablement process for MDS and potential CPU capacity impacts
• Workstation/Fusion: KB68025 should be thoroughly reviewed to ensure a strong understanding of the Hypervisor-Specific Mitigations enablement process for MDS and potential CPU capacity impacts.

Notes:

• VMware Hypervisors running on 2nd Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake) are not affected by MDS vulnerabilities.

Acknowledgements:

• None.

Resolution Matrix:

1. vCenter updates are listed in the above table as a requirement for Hypervisor-Specific Mitigations as these updates include enhanced EVC modes which support the new MD-CLEAR functionality included in ESXi microcode updates.
2. These patches contain updated microcode.  At the time of this publication Sandy Bridge DT/EP Microcode Updates (MCUs) had not yet been provided to VMware. Customers on this microarchitecture may request MCUs from their hardware vendor in the form of a BIOS update. This microcode will be included in future releases of ESXi.
3. A regression introduced in ESXi 6.7u2, Workstation 15.5.0, and Fusion 11.5.0 causes Hypervisor-Specific Mitigations for L1TF (CVE-2018-3646) and MDS (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091) to be ineffective. This issue has been resolved in the patches reflected in the table above. This regression does not affect the ESXi 6.5 and 6.0 release lines, nor does it affect ESXi 6.7u2 if the ESXi Side-Channel-Aware Scheduler Version 2 is enabled.

3b. Hypervisor-Assisted Guest Mitigations for MDS vulnerabilities - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091

Description:
 

vCenter Server, ESXi, Workstation, and Fusion updates support Hypervisor-Assisted Guest Mitigations for MDS speculative execution vulnerabilities. These updates expose new CPU control bits via microcode listed in the table below to the Virtual Machine layer. VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.
 

Known Attack Vectors:
 

A malicious user must have local access to a virtual machine and the ability to execute code to infer data otherwise protected by architectural mechanisms within the Guest Operating System (Intra-VM) via MDS vulnerabilities. Virtual Machines hosted by VMware Hypervisors running on 2nd Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake) are not affected by MDS vulnerabilities.

There are two known attack vector categories for MDS at the Virtual Machine level:

• Sequential-context attack vector (Intra-VM): a malicious local user of a Virtual Machine can potentially infer recently accessed data of a previous context otherwise protected by architectural mechanisms in the context of the same Virtual Machine.
  
• Concurrent-context attack vector (Intra-VM): a malicious local user of a Virtual Machine can potentially infer recently accessed data of a concurrently executing context on the other logical processor of the Hyper-Threading-enabled processor core in the context of the same Virtual Machine.
  

Resolution:

• Sequential-context attack vector (Intra-VM): mitigations are supported via Hypervisor updates listed in the table below. These mitigations are then enabled via Guest Operating System updates obtained through the operating system vendor (for VMware appliances see section 3c). These mitigations are dependent on Intel microcode updates (provided in separate ESXi patches for most Intel hardware platforms) listed in the table below. This mitigation is enabled by default and does not impose a significant performance impact.
  
• Concurrent-context attack vector (Intra-VM): is mitigated through enablement of the ESXi Side-Channel-Aware Scheduler Version 1. The ESXi Side-Channel-Aware Scheduler Version 2 does not mitigate MDS Concurrent-context attack vectors at the Virtual Machine layer. These options may impose a non-trivial performance impact and are not enabled by default.
  

Guest Operating Systems will also require Operating System-Specific Mitigations to support these Hypervisor-Assisted Guest Mitigations (see section 3c. for VMware Virtual Appliances).
 

Workarounds:

• Operating System-Specific workarounds for VMware Virtual Appliances are documented in section 3c.
  

Additional Documentation:

• KB68024 should be thoroughly reviewed to ensure a strong understanding of the Hypervisor-Assisted Guest Mitigations enablement process for MDS and potential CPU capacity impacts.

Notes:

• Virtual Machines hosted by VMware Hypervisors running on 2nd Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake) are not affected by MDS vulnerabilities.
  

Acknowledgements:

• None.

Resolution Matrix:

 1. vCenter updates are listed in the above table as a requirement for Hypervisor-Assisted Guest Mitigations as these updates include enhanced EVC modes which support the new MD-CLEAR functionality included in ESXi microcode updates.
2. These patches contain updated microcode.  At the time of this publication Sandy Bridge DT/EP Microcode Updates (MCUs) had not yet been provided to VMware. Customers on this microarchitecture may request MCUs from their hardware vendor in the form of a BIOS update. This microcode will be included in future releases of ESXi.

3c. Operating System-Specific Mitigations for MDS vulnerabilities - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091

Description:
 

A malicious user must have local access to a virtual machine and the ability to execute code to infer data otherwise protected by architectural mechanisms within the Guest Operating System (Intra-VM) via MDS vulnerabilities.
 

Known Attack Vectors:
 

A malicious user must have local access to a virtual machine and the ability to execute code to infer data otherwise protected by architectural mechanisms within the Guest Operating System (Intra-VM) via MDS vulnerabilities.

There are two known attack vector categories for MDS at the Virtual Machine level:

• Sequential-context attack vector (Intra-VM): a malicious local user of a Virtual Machine can potentially infer recently accessed data of a previous context otherwise protected by architectural mechanisms in the context of the same Virtual Machine.
• Concurrent-context attack vector (Intra-VM): a malicious local user of a Virtual Machine can potentially infer recently accessed data of a concurrently executing context on the other logical processor of the Hyper-Threading-enabled processor core in the context of the same Virtual Machine.
  

Resolution:

• Sequential-context attack vector (Intra-VM): mitigations are supported via Hypervisor-Assisted Guest Mitigations enumerated in section 3b and enabled via updated Linux kernels included with Virtual Appliance releases shown in the table below. These mitigations are dependent on Intel microcode updates (provided in separate ESXi patches for most Intel hardware platforms) listed in the table below.
• Concurrent-context attack vector (Intra-VM): is mitigated through enablement of the ESXi Side-Channel-Aware Scheduler. The ESXi Side-Channel-Aware Scheduler Version 2 introduced in 6.7u2 does NOT mitigate MDS Intra-VM Concurrent-context attack vectors at the Virtual Machine layer. These options may impose a non-trivial performance impact and are not enabled by default.

Workarounds:

• Some VMware Virtual Appliances can workaround MDS vulnerabilities by disabling local non-administrative accounts to ensure there is no available path for a malicious user to execute code.
  

Additional Documentation:

• None.
  

Notes:

• Virtual Machines hosted by VMware Hypervisors running on 2nd Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake) are not affected by MDS vulnerabilities.
• VMware Virtual Appliances NOT listed in the Resolution Matrix below do not have valid attack vectors under supported configurations and are considered unaffected.
  
  

Acknowledgements:

• None.

Resolution Matrix:

4. References:
 

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11091

Fixed Version(s) and Release Notes:
 

vCenter 6.7 U2c

https://my.vmware.com/web/vmware/details?downloadGroup=VC67U2C&productId=742

vCenter 6.7 U2a
https://my.vmware.com/group/vmware/get-download?downloadGroup=VC67U2A

vCenter 6.5 u3

https://my.vmware.com/web/vmware/details?downloadGroup=VC65U3&productId=614

vCenter 6.5 U2g
https://my.vmware.com/group/vmware/get-download?downloadGroup=VC65U2G

vCenter 6.0 U3i
https://my.vmware.com/group/vmware/get-download?downloadGroup=VC60U3I

ESXi 6.7, Patch Release ESXi670-201911001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-201911001.html
 

ESXi 6.5, Patch Release ESXi650-201905001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-201905001.html

ESXi 6.0, Patch Release ESXi600-201905001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201905001.html

VMware Workstation 15.5.1
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

VMware Fusion 11.5.1
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

Workarounds:
https://kb.vmware.com/s/article/52467
https://kb.vmware.com/s/article/52284
https://kb.vmware.com/s/article/52312
https://kb.vmware.com/s/article/52377
https://kb.vmware.com/s/article/52497

Additional Documentation:
https://kb.vmware.com/s/article/67577
https://kb.vmware.com/s/article/68025
https://kb.vmware.com/s/article/68024

5. Change Log:

2019-05-14: Initial security advisory in conjunction with vSphere, Workstation, and Fusion updates and patches released on 2019-05-14.

2019-08-05: VMSA-2019-0008.1

Updated security advisory with Operating System-Specific Mitigations included with vCenter Server Appliance 6.7u2c and vCenter Server Appliance 6.5u3.

2019-11-12: VMSA-2019-0008.2
Updated security advisory with patches for the ESXi 6.7, Workstation 15, and Fusion 11 release lines which resolve a regression that causes Hypervisor-Specific Mitigations for L1TF (CVE-2018-3646) and MDS (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091) to be ineffective.
 

6. Contact:

E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org

E-mail: security@vmware.com
PGP key: https://kb.vmware.com/kb/1055

VMware Security Advisories: http://www.vmware.com/security/advisories
VMware Security Response Policy: https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases: https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog: https://blogs.vmware.com/security
Twitter: https://twitter.com/VMwareSRC

Copyright 2019 VMware Inc. All rights reserved.