Intel L1 Terminal Fault Security Vulnerability.
In a nutshell, if two virtual machines are using the same processor (common place) they share L1 cache which is memory built into the CPU itself. This vulnerability has the potential for malicious software on one virtual machine to access information sitting in that L1 memory of other virtual machine’s sharing the physical processor.
Intel have a nice explanation video here
And deeper info here
VMware have released vCenter and ESXi patches and advice on mitigating against these vulnerabilities.
For Hypervisor Specific Mitigation of CVE-2018-3646 for vSphere see https://kb.vmware.com/s/article/55806
The attack Vector Summary
- Sequential-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core.
- Concurrent-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the hyperthreading-enabled processor core.
Sequential-context attack vector is covered by vSphere updates and patching with no significant impact, While Concurrent-Context attach vector requires enabling a new feature called the ESXi Side-Channel-Aware Scheduler.
The initial version of this feature will only schedule the hypervisor and VMs on one logical processor of an Intel Hyperthreading-enabled core. This feature may impose a non-trivial performance impact and is not enabled by default.
So when it comes to planning for the Sequential-context attack vector fix/ enabling the ESXi Side-Channel-Aware Scheduler VMware recommend performing a risk assessment. They have also provided a HTAware Mitigation Tool to assist with the decision to enable this or not.
Details Found here: https://kb.vmware.com/s/article/56931.
PowerCLi is required and the HTAware Mitigation module (found in the above link) is required to be installed.
Next Connect to your vCenter server via PowerCLI entering: Connect-VIServer
Next Step run the command:
Get-HTAwareMitigationAnalysis -Server vCenter_Server_Name
This will produce the following files
- json.gz – Raw collected data
- csv – Processed results in CSV format
- html – Detailed report
- json.gz – Processed raw data
The output.html produces a report like below, detailing cluster and host CPU utilization, and gives an ADVICE only recommendation, based on the vCenter stats.
User due diligence is also required before making a decision.
Notification on webclient once patching has been completed.
This notification can be suppressed if not enabling Side-Channel-Aware Scheduler.
Enabling the ESXi Side-Channel-Aware Scheduler using the vSphere Web Client or vSphere Client
- Connect to the vCenter Server using either the vSphere Web or vSphere Client.
- Select an ESXi host in the inventory.
- Click the Manage (5.5/6.0) or Configure (6.5/6.7) tab.
- Click the Settings sub-tab.
- Under the System heading, click Advanced System Settings.
- Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation
- Select the setting by name and click the Edit pencil icon.
- Change the configuration option to true (default: false).
- Click OK.
- Reboot the ESXi host for the configuration change to go into effect.
Links to related info found below:
https://kb.vmware.com/s/article/55636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646
https://kb.vmware.com/s/article/55767
https://kb.vmware.com/s/article/55806
https://kb.vmware.com/s/article/56931