VMSA-2018-0020:VMware vSphere, Workstation, and Fusion updates enable Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM vulnerability.

VMware Tanzu Application Service

0 more products

23545

12 August 2018

12 August 2018

CLOSED

HIGH

6.5

CVE-2018-3646

VMSA-2018-0020

VMware vSphere, Workstation, and Fusion updates enable Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM vulnerability.

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
 VMSA-2018-0020
VMware Security Advisory Severity:
 Important
VMware Security Advisory Synopsis:
 VMware vSphere, Workstation, and Fusion updates enable Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM vulnerability.
VMware Security Advisory Issue date:
2018-08-14
VMware Security Advisory Updated on:
2018-08-14 (Initial Advisory)
VMware Security Advisory CVE numbers:
CVE-2018-3646
 
1. Summary

VMware vSphere, Workstation, and Fusion updates enable Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM vulnerability.

 

The mitigations in this advisory are categorized as Hypervisor-Specific Mitigations described by VMware Knowledge Base article 55636.

 

2. Relevant Products
  • VMware vCenter Server (VC)
  • VMware vSphere ESXi (ESXi)
  • VMware Workstation Pro / Player (WS)
  • VMware Fusion Pro / Fusion (Fusion)   
 
3. Problem Description

vCenter Server, ESXi, Workstation, and Fusion updates include Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM. This issue may allow a malicious VM running on a given CPU core to effectively read the hypervisor’s or another VM’s privileged information that resides sequentially or concurrently in the same core’s L1 Data cache.


The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-3646 to this issue.

 

CVE-2018-3646 has two currently known attack vectors which will be referred to as "Sequential-Context" and "Concurrent-Context."

 

Attack Vector Summary

  • Sequential-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core.
  • Concurrent-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the Hyper-Threading enabled processor core

Mitigation Summary

  • The Sequential-context attack vector is mitigated by a vSphere update to the product versions listed in the table below. This mitigation is dependent on Intel microcode updates (provided in separate ESXi patches for most Intel hardware platforms) also listed in the table below. This mitigation is enabled by default and does not impose a significant performance impact.
  • The Concurrent-context attack vector is mitigated through enablement of a new feature known as the ESXi Side-Channel-Aware Scheduler. This feature may impose a non-trivial performance impact and is not enabled by default.

Column 5 of the following table lists the action required to mitigate the vulnerability in each release, if a solution is available.

VMware ProductProduct VersionRunning OnSeverityReplace_with/Apply_PatchMitigation/Workaround
VC6.7AnyImportant6.7.0dNone
VC6.5AnyImportant6.5u2cNone
VC6.0AnyImportant6.0u3hNone
VC5.5AnyImportant5.5u3jNone
ESXi6.7AnyImportantESXi670-201808401-BG*
ESXi670-201808402-BG**
ESXi670-201808403-BG*
None
ESXi6.5AnyImportantESXi650-201808401-BG*
ESXi650-201808402-BG**
ESXi650-201808403-BG*
None
ESXi6.0AnyImportantESXi600-201808401-BG*
ESXi600-201808402-BG**
ESXi600-201808403-BG*
None
ESXi5.5AnyImportantESXi550-201808401-BG*
ESXi550-201808402-BG**
ESXi550-201808403-BG*
None
WS14.xAnyImportant14.1.3*None
Fusion10.xAnyImportant10.1.3*None

*These patches DO NOT mitigate the Concurrent-context attack vector previously described by default. For details on the three-phase vSphere mitigation process please see KB55806 and for the mitigation process for Workstation and Fusion please see KB57138.

 
**These patches include microcode updates required for mitigation of the Sequential-context attack vector. This microcode may also be obtained from your hardware OEM in the form of a BIOS or firmware update. Details on microcode that has been provided by Intel and packaged by VMware is enumerated in the patch KBs found in the Solution section of this document.

4. Solution
 

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

 

vCenter 6.7.0d

Downloads:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_7
Documentation:

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-670d-release-notes.html

 

vCenter 6.5u2c

Downloads:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_5

Documentation:

https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u2c-release-notes.html

 

vCenter 6.0u3h

Downloads:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_0

Documentation:

https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u3h-release-notes.html

 

vCenter 5.5u3j

Downloads:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_5

Documentation:

https://docs.vmware.com/en/VMware-vSphere/5.5/rn/vsphere-vcenter-server-55u3j-release-notes.html

 

ESXi 6.7

Downloads:

https://my.vmware.com/group/vmware/patch

Documentation:

ESXi670-201808401-BG (esx-base): https://kb.vmware.com/kb/56537

ESXi670-201808402-BG (microcode): https://kb.vmware.com/kb/56538

ESXi670-201808403-BG (esx-ui): https://kb.vmware.com/kb/56897

 

ESXi 6.5

Downloads:

https://my.vmware.com/group/vmware/patch

Documentation:

ESXi650-201808401-BG (esx-base): https://kb.vmware.com/kb/56547

ESXi650-201808402-BG (microcode): https://kb.vmware.com/kb/56563

ESXi650-201808403-BG (esx-ui): https://kb.vmware.com/kb/56896

 

ESXi 6.0

Downloads:

https://my.vmware.com/group/vmware/patch

Documentation:

ESXi600-201808401-BG (esx-base): https://kb.vmware.com/kb/56552

ESXi600-201808402-BG (microcode): https://kb.vmware.com/kb/56553

ESXi600-201808403-BG (esx-ui): https://kb.vmware.com/kb/56895

 

ESXi 5.5

Downloads:

https://my.vmware.com/group/vmware/patch

Documentation:

ESXi550-201808401-BG (esx-base): https://kb.vmware.com/kb/56557

ESXi550-201808402-BG (microcode): https://kb.vmware.com/kb/56558

ESXi550-201808403-BG (esx-ui): https://kb.vmware.com/kb/56894

 

VMware Workstation Pro 14.1.3

Downloads:

https://www.vmware.com/go/downloadworkstation

Documentation:

https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

 

VMware Fusion Pro 10.1.3

Downloads:

https://www.vmware.com/go/downloadfusion

Documentation:

https://docs.vmware.com/en/VMware-Fusion/index.html

 

6. Change log

 

2018-08-14: VMSA-2018-0020
Initial security advisory in conjunction with vSphere, Workstation, and Fusion updates and patches released on 2018-08-14.

7. Contact

 

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

  [email protected]

  [email protected]

  [email protected]

 

E-mail: [email protected]

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

https://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2018 VMware Inc. All rights reserved.