Support Content Notification - Support Portal

VMSA-2018-0020:VMware vSphere, Workstation, and Fusion updates enable Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM vulnerability.

Product/Component

VMware

0 more products

Notification Id

23545

Last Updated

12 August 2018

Initial Publication Date

12 August 2018

Status

CLOSED

Severity

HIGH

CVSS Base Score

6.5

WorkAround

Affected CVE

CVE-2018-3646

VMSA-2018-0020

VMware vSphere, Workstation, and Fusion updates enable Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM vulnerability.

VMware Security Advisory

VMware Security Advisory Advisory ID:

VMSA-2018-0020

VMware Security Advisory Severity:

Important

VMware Security Advisory Synopsis:

VMware vSphere, Workstation, and Fusion updates enable Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM vulnerability.

VMware Security Advisory Issue date:

2018-08-14

VMware Security Advisory Updated on:

2018-08-14 (Initial Advisory)

VMware Security Advisory CVE numbers:

CVE-2018-3646

1. Summary

VMware vSphere, Workstation, and Fusion updates enable Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM vulnerability.

The mitigations in this advisory are categorized as Hypervisor-Specific Mitigations described by VMware Knowledge Base article 55636.

2. Relevant Products

VMware vCenter Server (VC)
VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (WS)
VMware Fusion Pro / Fusion (Fusion)

3. Problem Description

vCenter Server, ESXi, Workstation, and Fusion updates include Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM. This issue may allow a malicious VM running on a given CPU core to effectively read the hypervisor’s or another VM’s privileged information that resides sequentially or concurrently in the same core’s L1 Data cache.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-3646 to this issue.

CVE-2018-3646 has two currently known attack vectors which will be referred to as "Sequential-Context" and "Concurrent-Context."

Attack Vector Summary

Sequential-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core.
Concurrent-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the Hyper-Threading enabled processor core

Mitigation Summary

The Sequential-context attack vector is mitigated by a vSphere update to the product versions listed in the table below. This mitigation is dependent on Intel microcode updates (provided in separate ESXi patches for most Intel hardware platforms) also listed in the table below. This mitigation is enabled by default and does not impose a significant performance impact.
The Concurrent-context attack vector is mitigated through enablement of a new feature known as the ESXi Side-Channel-Aware Scheduler. This feature may impose a non-trivial performance impact and is not enabled by default.

Column 5 of the following table lists the action required to mitigate the vulnerability in each release, if a solution is available.

VMware Product	Product Version	Running On	Severity	Replace_with/Apply_Patch	Mitigation/Workaround
VC	6.7	Any	Important	6.7.0d	None
VC	6.5	Any	Important	6.5u2c	None
VC	6.0	Any	Important	6.0u3h	None
VC	5.5	Any	Important	5.5u3j	None
ESXi	6.7	Any	Important	ESXi670-201808401-BG* ESXi670-201808402-BG** ESXi670-201808403-BG*	None
ESXi	6.5	Any	Important	ESXi650-201808401-BG* ESXi650-201808402-BG** ESXi650-201808403-BG*	None
ESXi	6.0	Any	Important	ESXi600-201808401-BG* ESXi600-201808402-BG** ESXi600-201808403-BG*	None
ESXi	5.5	Any	Important	ESXi550-201808401-BG* ESXi550-201808402-BG** ESXi550-201808403-BG*	None
WS	14.x	Any	Important	14.1.3*	None
Fusion	10.x	Any	Important	10.1.3*	None

*These patches DO NOT mitigate the Concurrent-context attack vector previously described by default. For details on the three-phase vSphere mitigation process please see KB55806 and for the mitigation process for Workstation and Fusion please see KB57138.

**These patches include microcode updates required for mitigation of the Sequential-context attack vector. This microcode may also be obtained from your hardware OEM in the form of a BIOS or firmware update. Details on microcode that has been provided by Intel and packaged by VMware is enumerated in the patch KBs found in the Solution section of this document.

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

vCenter 6.7.0d

Downloads:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_7
Documentation:

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-670d-release-notes.html

vCenter 6.5u2c

Downloads:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_5

Documentation:

https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u2c-release-notes.html

vCenter 6.0u3h

Downloads:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_0

Documentation:

https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u3h-release-notes.html

vCenter 5.5u3j

Downloads:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_5

Documentation:

https://docs.vmware.com/en/VMware-vSphere/5.5/rn/vsphere-vcenter-server-55u3j-release-notes.html

ESXi 6.7

Downloads:

https://my.vmware.com/group/vmware/patch

Documentation:

ESXi670-201808401-BG (esx-base): https://kb.vmware.com/kb/56537

ESXi670-201808402-BG (microcode): https://kb.vmware.com/kb/56538

ESXi670-201808403-BG (esx-ui): https://kb.vmware.com/kb/56897

ESXi 6.5

Downloads:

https://my.vmware.com/group/vmware/patch

Documentation:

ESXi650-201808401-BG (esx-base): https://kb.vmware.com/kb/56547

ESXi650-201808402-BG (microcode): https://kb.vmware.com/kb/56563

ESXi650-201808403-BG (esx-ui): https://kb.vmware.com/kb/56896

ESXi 6.0

Downloads:

https://my.vmware.com/group/vmware/patch

Documentation:

ESXi600-201808401-BG (esx-base): https://kb.vmware.com/kb/56552

ESXi600-201808402-BG (microcode): https://kb.vmware.com/kb/56553

ESXi600-201808403-BG (esx-ui): https://kb.vmware.com/kb/56895

ESXi 5.5

Downloads:

https://my.vmware.com/group/vmware/patch

Documentation:

ESXi550-201808401-BG (esx-base): https://kb.vmware.com/kb/56557

ESXi550-201808402-BG (microcode): https://kb.vmware.com/kb/56558

ESXi550-201808403-BG (esx-ui): https://kb.vmware.com/kb/56894

VMware Workstation Pro 14.1.3

Downloads:

https://www.vmware.com/go/downloadworkstation

Documentation:

https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

VMware Fusion Pro 10.1.3

Downloads:

https://www.vmware.com/go/downloadfusion

Documentation:

https://docs.vmware.com/en/VMware-Fusion/index.html

5. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646

https://kb.vmware.com/kb/55636

https://kb.vmware.com/kb/55806

https://kb.vmware.com/kb/57138

6. Change log

2018-08-14: VMSA-2018-0020
Initial security advisory in conjunction with vSphere, Workstation, and Fusion updates and patches released on 2018-08-14.

7. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

[email protected]

E-mail: [email protected]

PGP key at:

https://kb.vmware.com/kb/1055

VMware Security Advisories

https://www.vmware.com/security/advisories

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog

https://blogs.vmware.com/security

Twitter

https://twitter.com/VMwareSRC