Advisory ID | VMSA-2019-0008.2 |
Advisory Severity | Moderate |
CVSSv3 Range | 3.8 - 6.5 |
Synopsis | VMware product updates enable Hypervisor-Specific Mitigations, Hypervisor-Assisted Guest Mitigations, and Operating System-Specific Mitigations for Microarchitectural Data Sampling (MDS) Vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) |
Issue Date | 2019-05-14 |
Updated On | 2019-11-12 |
CVE(s) | CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091 |
1. Impacted Products
2. Introduction
Intel has disclosed details on speculative-execution vulnerabilities known collectively as “Microarchitectural Data Sampling (MDS)" that can occur on Intel microarchitecture prior to 2nd Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake). These issues may allow a malicious user who can locally execute code on a system to infer data otherwise protected by architectural mechanisms.
There are four uniquely identifiable vulnerabilities associated with MDS:
To assist in understanding speculative-execution vulnerabilities, VMware previously defined the following mitigation categories:
MDS vulnerabilities require Hypervisor-Specific Mitigations (described in section 3a.) Hypervisor-Assisted Guest Mitigations (described in section 3b.) and Operating System-Specific Mitigations (described in section 3c.)
3a. Hypervisor-Specific Mitigations for MDS vulnerabilities - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091
Description:
vCenter Server, ESXi, Workstation, and Fusion updates include Hypervisor-Specific Mitigations for MDS speculative execution vulnerabilities. VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.
Known Attack Vectors:
A malicious user must have local access to a virtual machine and the ability to execute code to infer data otherwise protected by architectural mechanisms from another virtual machine or the hypervisor itself via MDS vulnerabilities.
There are two known attack vector variants for MDS at the Hypervisor level:
Resolution:
Workarounds:
Additional Documentation:
Notes:
Acknowledgements:
Resolution Matrix:
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
vCenter Server1 | 6.7 | Any | N/A | N/A | N/A | 6.7 U2a | None | KB67577 |
vCenter Server1 | 6.5 | Any | N/A | N/A | N/A | 6.5 U2g | None | KB67577 |
vCenter Server1 | 6.0 | Any | N/A | N/A | N/A | 6.0 U3i | None | KB67577 |
ESXi3 | 6.7 | Any | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | ESXi670-201911401-BG ESXi670-201911402-BG2 |
None | KB67577 |
ESXi | 6.5 | Any | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | ESXi650-201905401-BG ESXi650-201905402-BG2 |
None | KB67577 |
ESXi | 6.0 | Any | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | ESXi600-201905401-BG ESXi600-201905402-BG2 |
None | KB67577 |
Workstation3 | 15.x | Any | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | 15.5.1 | None | KB68025 |
Fusion3 | 11.x | Any | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | 11.5.1 | None | KB68025 |
1. vCenter updates are listed in the above table as a requirement for Hypervisor-Specific Mitigations as these updates include enhanced EVC modes which support the new MD-CLEAR functionality included in ESXi microcode updates.
2. These patches contain updated microcode. At the time of this publication Sandy Bridge DT/EP Microcode Updates (MCUs) had not yet been provided to VMware. Customers on this microarchitecture may request MCUs from their hardware vendor in the form of a BIOS update. This microcode will be included in future releases of ESXi.
3. A regression introduced in ESXi 6.7u2, Workstation 15.5.0, and Fusion 11.5.0 causes Hypervisor-Specific Mitigations for L1TF (CVE-2018-3646) and MDS (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091) to be ineffective. This issue has been resolved in the patches reflected in the table above. This regression does not affect the ESXi 6.5 and 6.0 release lines, nor does it affect ESXi 6.7u2 if the ESXi Side-Channel-Aware Scheduler Version 2 is enabled.
3b. Hypervisor-Assisted Guest Mitigations for MDS vulnerabilities - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091
Description:
vCenter Server, ESXi, Workstation, and Fusion updates support Hypervisor-Assisted Guest Mitigations for MDS speculative execution vulnerabilities. These updates expose new CPU control bits via microcode listed in the table below to the Virtual Machine layer. VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.
Known Attack Vectors:
A malicious user must have local access to a virtual machine and the ability to execute code to infer data otherwise protected by architectural mechanisms within the Guest Operating System (Intra-VM) via MDS vulnerabilities. Virtual Machines hosted by VMware Hypervisors running on 2nd Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake) are not affected by MDS vulnerabilities.
There are two known attack vector categories for MDS at the Virtual Machine level:
Resolution:
Guest Operating Systems will also require Operating System-Specific Mitigations to support these Hypervisor-Assisted Guest Mitigations (see section 3c. for VMware Virtual Appliances).
Workarounds:
Additional Documentation:
Notes:
Acknowledgements:
Resolution Matrix:
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
vCenter Server1 | 6.7 | Any | N/A | N/A | N/A | 6.7 U2a | None | KB68024 |
vCenter Server1 | 6.5 | Any | N/A | N/A | N/A | 6.5 U2g | None | KB68024 |
vCenter Server1 | 6.0 | Any | N/A | N/A | N/A | 6.0 U3i | None | KB68024 |
ESXi | 6.7 | Any | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | ESXi670-201905401-BG ESXi670-201905402-BG2 ESXi670-201905403-BG |
None | KB68024 |
ESXi | 6.5 | Any | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | ESXi650-201905401-BG ESXi650-201905402-BG2 |
None | KB68024 |
ESXi | 6.0 | Any | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | ESXi600-201905401-BG ESXi600-201905402-BG2 |
None | KB68024 |
Workstation | 15.x | Any | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | 15.1.0 | None | KB68024 |
Fusion | 11.x | Any | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | 11.1.0 | None | KB68024 |
1. vCenter updates are listed in the above table as a requirement for Hypervisor-Assisted Guest Mitigations as these updates include enhanced EVC modes which support the new MD-CLEAR functionality included in ESXi microcode updates.
2. These patches contain updated microcode. At the time of this publication Sandy Bridge DT/EP Microcode Updates (MCUs) had not yet been provided to VMware. Customers on this microarchitecture may request MCUs from their hardware vendor in the form of a BIOS update. This microcode will be included in future releases of ESXi.
3c. Operating System-Specific Mitigations for MDS vulnerabilities - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091
Description:
A malicious user must have local access to a virtual machine and the ability to execute code to infer data otherwise protected by architectural mechanisms within the Guest Operating System (Intra-VM) via MDS vulnerabilities.
Known Attack Vectors:
A malicious user must have local access to a virtual machine and the ability to execute code to infer data otherwise protected by architectural mechanisms within the Guest Operating System (Intra-VM) via MDS vulnerabilities.
There are two known attack vector categories for MDS at the Virtual Machine level:
Resolution:
Workarounds:
Additional Documentation:
Notes:
Acknowledgements:
Resolution Matrix:
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
vCloud Usage Meter | x.x | Virtual Appliance | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | Patch Pending | KB52467 | None |
Identity Manager | x.x | Virtual Appliance | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | Patch Pending | KB52284 | None |
vCenter Server | 6.7 | Virtual Appliance | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | 6.7u2c | KB52312 | None |
vCenter Server | 6.5 | Virtual Appliance | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | 6.5u3 | KB52312 | None |
vCenter Server | 6.0 | Virtual Appliance | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | Patch Pending |
KB52312 | None |
VMware Data protection | 6.x | Virtual Appliance | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | Patch Pending |
None | None |
VMware Integrated Containers |
1.x | Virtual Appliance | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | Patch Pending |
None | None |
vRealize Automation | 7.x | Virtual Appliance | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | 8.0.0 | KB52377 | None |
vRealize Automation | 6.x | Virtual Appliance | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
6.5 | Moderate | Won't Fix | KB52497 | None |
4. References:
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11091
Fixed Version(s) and Release Notes:
vCenter 6.7 U2c
https://my.vmware.com/web/vmware/details?downloadGroup=VC67U2C&productId=742
vCenter 6.7 U2a
https://my.vmware.com/group/vmware/get-download?downloadGroup=VC67U2A
vCenter 6.5 u3
https://my.vmware.com/web/vmware/details?downloadGroup=VC65U3&productId=614
vCenter 6.5 U2g
https://my.vmware.com/group/vmware/get-download?downloadGroup=VC65U2G
vCenter 6.0 U3i
https://my.vmware.com/group/vmware/get-download?downloadGroup=VC60U3I
ESXi 6.7, Patch Release ESXi670-201911001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-201911001.html
ESXi 6.5, Patch Release ESXi650-201905001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-201905001.html
ESXi 6.0, Patch Release ESXi600-201905001
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201905001.html
VMware Workstation 15.5.1
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Fusion 11.5.1
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html
vRealize Automation 8.0.0
https://my.vmware.com/web/vmware/details?productId=935&rPId=40695&downloadGroup=VRA-800
Workarounds:
https://kb.vmware.com/s/article/52467
https://kb.vmware.com/s/article/52284
https://kb.vmware.com/s/article/52312
https://kb.vmware.com/s/article/52377
https://kb.vmware.com/s/article/52497
Additional Documentation:
https://kb.vmware.com/s/article/67577
https://kb.vmware.com/s/article/68025
https://kb.vmware.com/s/article/68024
5. Change Log:
2019-05-14: Initial security advisory in conjunction with vSphere, Workstation, and Fusion updates and patches released on 2019-05-14.
2019-08-05: VMSA-2019-0008.1
Updated security advisory with Operating System-Specific Mitigations included with vCenter Server Appliance 6.7u2c and vCenter Server Appliance 6.5u3.
2019-11-12: VMSA-2019-0008.2
Updated security advisory with patches for the ESXi 6.7, Workstation 15, and Fusion 11 release lines which resolve a regression that causes Hypervisor-Specific Mitigations for L1TF (CVE-2018-3646) and MDS (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091) to be ineffective.
6. Contact:
E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org
E-mail: security@vmware.com
PGP key: https://kb.vmware.com/kb/1055
VMware Security Advisories: http://www.vmware.com/security/advisories
VMware Security Response Policy: https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases: https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog: https://blogs.vmware.com/security
Twitter: https://twitter.com/VMwareSRC
Copyright 2019 VMware Inc. All rights reserved.