VMware Security Advisory 2018-0020 - VMware vSphere, Workstation, and Fusion updates enable Hypervisor- Specific Mitigations for L1 Terminal Fault - VMM vulnerability. The mitigations in this advisory are categorized as Hypervisor- Specific Mitigations described by VMware Knowledge Base article 55636.
2c8cc803aace73f901e71e3d4d028eadfddc5c98c0b3f7dee27acc67d3dc461a
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2018-0020
Severity: Important
Synopsis: VMware vSphere, Workstation, and Fusion updates enable
Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM
vulnerability.
Issue date: 2018-08-14
Updated on: 2018-08-14 (Initial Advisory)
CVE number: CVE-2018-3646
1. Summary
VMware vSphere, Workstation, and Fusion updates enable Hypervisor-
Specific Mitigations for L1 Terminal Fault - VMM vulnerability.
The mitigations in this advisory are categorized as Hypervisor-
Specific Mitigations described by VMware Knowledge Base article
55636.
2. Relevant Products
VMware vCenter Server (VC)
VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (WS)
VMware Fusion Pro / Fusion (Fusion)
3. Problem Description
vCenter Server, ESXi, Workstation, and Fusion updates include
Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM. This
issue may allow a malicious VM running on a given CPU core to
effectively read the hypervisoras or another VMas privileged
information that resides sequentially or concurrently in the same
coreas L1 Data cache.
CVE-2018-3646 has two currently known attack vectors which will be
referred to as "Sequential-Context" and "Concurrent-Context."
Attack Vector Summary
Sequential-context attack vector: a malicious VM can potentially
infer recently accessed L1 data of a previous context (hypervisor
thread or other VM thread) on either logical processor of a processor
core.
Concurrent-context attack vector: a malicious VM can potentially
infer recently accessed L1 data of a concurrently executing context
(hypervisor thread or other VM thread) on the other logical processor
of the Hyper-Threading-enabled processor core.
Mitigation Summary
The Sequential-context attack vector is mitigated by a vSphere
update to the product versions listed in table below. This mitigation
is dependent on Intel microcode updates (provided in separate ESXi
patches for most Intel hardware platforms) also listed in the table
below. This mitigation is enabled by default and does not impose a
significant performance impact.
The Concurrent-context attack vector is mitigated through
enablement of a new feature known as the ESXi Side-Channel-Aware
Scheduler. This feature may impose a non-trivial performance impact
and is not enabled by default.
Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/ Mitigation/
Product Version on Severity Apply Patch Workaround
======= ======= ======= ========= ===================== ==========
VC 6.7 Any Important 6.7.0d None
VC 6.5 Any Important 6.5u2c None
VC 6.0 Any Important 6.0u3h None
VC 5.5 Any Important 5.5u3j None
ESXi 6.7 Any Important ESXi670-201808401-BG* None
ESXi670-201808402-BG** None
ESXi670-201808403-BG* None
ESXi 6.5 Any Important ESXi650-201808401-BG* None
ESXi650-201808402-BG** None
ESXi650-201808403-BG* None
ESXi 6.0 Any Important ESXi600-201808401-BG* None
ESXi600-201808402-BG** None
ESXi600-201808403-BG* None
ESXi 5.5 Any Important ESXi550-201808401-BG* None
ESXi550-201808402-BG** None
ESXi550-201808403-BG* None
WS 14.x Any Important 14.1.3* None
Fusion 10.x Any Important 10.1.3* None
*These patches DO NOT mitigate the Concurrent-context attack vector
previously described by default. For details on the three-phase
vSphere mitigation process please see KB55806 and for the mitigation
process for Workstation and Fusion please see KB57138.
**These patches include microcode updates required for mitigation of
the Sequential-context attack vector. This microcode may also be
obtained from your hardware OEM in the form of a BIOS or firmware
update. Details on microcode that has been provided by Intel
and packaged by VMware is enumerated in the patch KBs found in the
Solution section of this document.
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
vCenter 6.7.0d
Downloads:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_7
Documentation:
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-670d-release-notes.html
vCenter 6.5u2c
Downloads:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_5
Documentation:
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u2c-release-notes.html
vCenter 6.0u3h
Downloads:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_0
Documentation:
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u3h-release-notes.html
vCenter 5.5u3j
Downloads:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_5
Documentation:
https://docs.vmware.com/en/VMware-vSphere/5.5/rn/vsphere-vcenter-server-55u3j-release-notes.html
ESXi 6.7
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
ESXi670-201808401-BG (esx-base): https://kb.vmware.com/kb/56537
ESXi670-201808402-BG (microcode): https://kb.vmware.com/kb/56538
ESXi670-201808403-BG (esx-ui):(https://kb.vmware.com/kb/56897
ESXi 6.5
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
ESXi650-201808401-BG (esx-base): https://kb.vmware.com/kb/56547
ESXi650-201808402-BG (microcode): https://kb.vmware.com/kb/56563
ESXi650-201808403-BG (esx-ui): https://kb.vmware.com/kb/56896
ESXi 6.0
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
ESXi600-201808401-BG (esx-base): https://kb.vmware.com/kb/56552
ESXi600-201808402-BG (microcode): https://kb.vmware.com/kb/56553
ESXi600-201808403-BG (esx-ui): https://kb.vmware.com/kb/56895
ESXi 5.5
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
ESXi550-201808401-BG (esx-base): https://kb.vmware.com/kb/56557
ESXi550-201808402-BG (microcode): https://kb.vmware.com/kb/56558
ESXi550-201808403-BG (esx-ui): https://kb.vmware.com/kb/56894
VMware Workstation Pro 14.1.3
Downloads: https://www.vmware.com/go/downloadworkstation
Documentation: https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Workstation Player 14.1.3
Downloads: https://www.vmware.com/go/downloadplayer
Documentation: https://docs.vmware.com/en/VMware-Workstation-Player/index.html
VMware Fusion Pro / Fusion 10.1.3
Downloads: https://www.vmware.com/go/downloadfusion
Documentation: https://docs.vmware.com/en/VMware-Fusion/index.html
5. References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646
https://kb.vmware.com/kb/55636
https://kb.vmware.com/kb/55806
https://kb.vmware.com/kb/57138
- ------------------------------------------------------------------------
6. Change log
2018-08-14: Initial security advisory in conjunction with vSphere,
Workstation, and Fusion updates and patches released on 2018-08-14.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2018 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQSmJMaUX5+xuU/DnNwMRybxVuL2QwUCW3JEgAAKCRAMRybxVuL2
Q0e5AKCD3Yq7ZCoqxAVh4dgQTsZCx1v1vwCg4nQWrBZ5QoPw/TjCxa4XkCb+aGg=
=sHDu
-----END PGP SIGNATURE-----