Update: The Sequential-context attack vector Hypervisor-Specific Mitigations described in VMSA-2018-0020, are cumulative and will also mitigate the issues described in VMSA-2018-0002.
The purpose of this article is to describe the security issues related to speculative execution in modern-day processors as they apply
to VMware and then highlight VMware’s response.
For VMware, the mitigations fall into 3 different categories:
- Hypervisor-Specific Mitigation
- Hypervisor-Assisted Guest Mitigation
- Operating System-Specific Mitigations
Additionally, VMware is mitigating these issues in its services.
This Knowledge Base article will be updated as new information becomes available.Introduction
On January 3, 2018, it became public
that CPU data cache timing can be abused by software to efficiently leak information out of mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. Three variants have been recently discovered by Google Project Zero and other security researchers; these can affect many modern processors, including certain processors by Intel, AMD and ARM:
- Variant 1: bounds check bypass (CVE-2017-5753 and CVE-2018-3693) – a.k.a. Spectre
- Variant 2: branch target injection (CVE-2017-5715) – a.k.a. Spectre
- Variant 3: rogue data cache load (CVE-2017-5754) – a.k.a. Meltdown
Operating systems (OS), virtual machines, virtual appliances, hypervisors, server firmware, and CPU microcode must all be patched or upgraded for effective mitigation of these known variants. General purpose operating systems are adding several mitigations for them. Most operating system mitigations can be applied to unpatched CPUs (and hypervisors) and will significantly reduce the attack surface. However, some operating system mitigations will be more effective when a new speculative-execution control mechanism is provided by updated CPU microcode (and virtualized to VMs by hypervisors). There can be a performance impact when an operating system applies the above mitigations; consult the specific OS vendor for more details.Hypervisor-Specific Mitigation
Mitigates leakage from the hypervisor or guest VMs into a malicious guest VM. VMware’s hypervisor products are affected by the known examples of variant 1 and variant 2 vulnerabilities and do require the associated mitigations. Known examples of variant 3 do not affect VMware hypervisor products.Update
: On July 10th, 2018 Intel updated security advisory INTEL-OSS-10002
with CVE-2018-3693 a.k.a. Bounds Check Bypass Store. This issue is similar to Spectre variant 1 previously mentioned. At the time of this publication VMware has not found any exploitable instances of this vulnerability in our hypervisors. VMware will remain vigilant in updating our mitigations as new speculative-execution vulnerabilities are uncovered.
VMware hypervisors do not require the new speculative-execution control mechanism to achieve this class of mitigation and therefore these types of updates can be installed on any currently supported processor. For the latest information on any VMware performance impact, see KB 52337
.Hypervisor-Assisted Guest Mitigation
It virtualizes the new speculative-execution control mechanism for guest VMs so that a Guest OS can mitigate leakage between processes within the VM. This mitigation requires that specific microcode updates that provide the mechanism are already applied to a system’s processor(s) either by ESXi or by a firmware/BIOS update from the system vendor. The ESXi patches for this mitigation will include all available microcode updates at the time of release and the appropriate one will be applied automatically if the system firmware has not already done so.
No significant additional overhead is expected by virtualizing the speculative-execution control mechanism in the hypervisor. There can be a performance impact when an operating system applies this mitigation; consult the specific OS vendor for more details.Operating System-Specific Mitigations
Mitigations for Operating Systems(OSes) are provided by your OS Vendors. In the case of virtual appliances, your virtual appliance vendor will need to integrate these into their appliances and provide an updated appliance.VMware Software-as-a-Service (SaaS) Status Updates
VMware is in the process of investigating and patching its services. The current status is found in the Resolution section.Performance impact considerations
For the latest information on how mitigations for the aforementioned issues may affect performance, see KB 52337