VMware Response to Speculative Execution security issues, CVE-2018-3639 and CVE-2018-3640 (54951)
Criado por: André M. Faria
Modificado em: Qua, 22 Abr, 2020 at 5:00 PM
The purpose of this article is to respond to the security issues related to speculative execution described by CVE-2018-3639
(Speculative Store Bypass) and CVE-2018-3640
(Rogue System Register Read) in modern-day processors as they apply to VMware. Because there will be multiple documents necessary to respond to these issues, consider this document as the centralized source of truth for these issues.
The Update History
section of this document will be revised when there is a significant change to any of the related documentation. Click Subscribe to Article
in the Actions box to be alerted when new information is added to this document and sign up at our Security-Announce mailing list
to receive new and updated VMware Security Advisories.
To assist in understanding Speculative Execution vulnerabilities, VMware previously defined the following categories in KB52245
- review this knowledge base article for an explanation of these categories:
- Hypervisor-Specific Mitigation
- Hypervisor-Assisted Guest Mitigation
- Operating System-Specific Mitigations
With the disclosure of CVE-2018-3640
a 4th category has been defined:Microcode Mitigations
are applied to a system’s processor(s) by a microcode update from the hardware vendor. These mitigations may not require hypervisor or guest operating system updates to be effective. Nonetheless, ESXi plans to include microcode updates that contain such mitigations when they become available, as a convenience to our customers.Mitigation of CVE-2018-3639 and CVE-2018-3640
Mitigation of CVE-2018-3639
(Speculative Store Bypass) requires both Hypervisor-Assisted Guest Mitigations
and Operating System-Specific Mitigations
Mitigation of CVE-2018-3640
(Rogue System Register Read) requires Microcode Mitigations
Based on current evaluations, we do not believe that CVE-2018-3639
could allow for VM to VM or Hypervisor to VM Information disclosure. Thus, Hypervisor-Specific Mitigations
are not required.
CVE-2018-3639 (Speculative Store Bypass)Hypervisor-Assisted Guest Mitigations
VMware updates that enable Hypervisor-Assisted Guest Mitigations
are documented in VMware Security Advisory VMSA-2018-0012.1
. The required Intel microcode updates are documented in VMware Knowledge Base articles listed in the same advisory. The combination of updates and Intel microcode will expose the Speculative-Store-Bypass-Disable (SSBD) control bit to guest operating systems. Detailed instructions on enabling Hypervisor-Assisted Guest Mitigations
are found in VMware Knowledge base artcile KB55111
.Operating System-Specific Mitigations
VMware has investigated the impact that CVE-2018-3639
may have on VMware Virtual Appliances, and while investigations are ongoing we have not found any evidence that VMware Virtual Appliances are affected by this issue.
VMware recommends contacting your operating system vendor to determine whether or not SSBD is recommended. At the time of this article’s publication, multiple OS vendors have decided that SSBD will be disabled by default in their OSes as they have classified the overall risk of CVE-2018-3639
as low to moderate and the performance impact imposed will be non-trivial.For supplemental information please see the following 3rd party OS documentation:Redhat: Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639Microsoft: ADV180012 | Microsoft Guidance for Speculative Store BypassCVE-2018-3640 (Rogue System Register Read)Microcode MitigationsCVE-2018-3640
is resolved by a microcode update and no code changes are required for any VMware products to mitigate CVE-2018-3640
. ESXi patches documented in VMware Security Advisory VMSA-2018-0012.1
may include these microcode updates. Refer to the VMware Knowledge Base articles listed in this advisory for a list of included microcodes. Alternatively, you should also be able to obtain the microcode update for your CPU as part of a firmware/BIOS update from your hardware system vendor.Note
: If newer microcode is already present on your system because of a firmware/BIOS update, ESXi will not replace it with older microcode shipped as part of an ESXi patch/update.
For more information, please see Intel’s Security Center Advisory: INTEL-SA-00115
For the latest information on how mitigations for the aforementioned issues may affect performance, see KB55210
05/03/18: Initial Publication
05/21/18: Updated KB with information on CVE-2018-3639
. Published VMSA-2018-0012
06/28/16: Updated KB after the release of vCenter Server 5.5 U3i, 6.0 U3f, 6.5 U2b, 6.7.0b and ESXi 5.5 - 6.7 patches on 2018-06-28.
Isso foi útil para você?
Desculpe-nos por não podermos ajudar. Ajude-nos a melhorar este artigo com seu feedback.