VMware Response to Speculative Execution security issues, CVE-2018-3639 and CVE-2018-3640
Article ID: 318668
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
The purpose of this article is to respond to the security issues related to speculative execution described by CVE-2018-3639 (Speculative Store Bypass) and CVE-2018-3640 (Rogue System Register Read) in modern-day processors as they apply to VMware. Because there will be multiple documents necessary to respond to these issues, consider this document as the centralized source of truth for these issues.
The Update History section of this document will be revised when there is a significant change to any of the related documentation. Click Subscribe to Article in the Actions box to be alerted when new information is added to this document and sign up at our Security-Announce mailing list to receive new and updated VMware Security Advisories.
Mitigation of CVE-2018-3639 and CVE-2018-3640
Mitigation of CVE-2018-3639 (Speculative Store Bypass) requires both Hypervisor-Assisted Guest Mitigations and Operating System-Specific Mitigations.
Mitigation of CVE-2018-3640 (Rogue System Register Read) requires Microcode Mitigations.
Note:
Based on current evaluations, we do not believe that CVE-2018-3639 or CVE-2018-3640 could allow for VM to VM or Hypervisor to VM Information disclosure. Thus, Hypervisor-Specific Mitigations are not required.
The Update History section of this document will be revised when there is a significant change to any of the related documentation. Click Subscribe to Article in the Actions box to be alerted when new information is added to this document and sign up at our Security-Announce mailing list to receive new and updated VMware Security Advisories.
Background
To assist in understanding Speculative Execution vulnerabilities, VMware previously defined the following categories in KB52245 - review this knowledge base article for an explanation of these categories:- Hypervisor-Specific Mitigation
- Hypervisor-Assisted Guest Mitigation
- Operating System-Specific Mitigations
- Microcode Mitigations
Mitigation of CVE-2018-3639 and CVE-2018-3640
Mitigation of CVE-2018-3639 (Speculative Store Bypass) requires both Hypervisor-Assisted Guest Mitigations and Operating System-Specific Mitigations.
Mitigation of CVE-2018-3640 (Rogue System Register Read) requires Microcode Mitigations.
Note:
Based on current evaluations, we do not believe that CVE-2018-3639 or CVE-2018-3640 could allow for VM to VM or Hypervisor to VM Information disclosure. Thus, Hypervisor-Specific Mitigations are not required.
Environment
VMware vSphere ESXi 6.0
VMware vSphere ESXi 5.5
VMware vSphere ESXi 6.5
VMware vSphere ESXi 5.5
VMware vSphere ESXi 6.5
Resolution
CVE-2018-3639 (Speculative Store Bypass)
Hypervisor-Assisted Guest Mitigations
VMware updates that enable Hypervisor-Assisted Guest Mitigations for CVE-2018-3639 are documented in VMware Security Advisory VMSA-2018-0012.1. The required Intel microcode updates are documented in VMware Knowledge Base articles listed in the same advisory. The combination of updates and Intel microcode will expose the Speculative-Store-Bypass-Disable (SSBD) control bit to guest operating systems. Detailed instructions on enabling Hypervisor-Assisted Guest Mitigations for CVE-2018-3639 are found in VMware Knowledge base artcile KB55111.
Operating System-Specific Mitigations
VMware has investigated the impact that CVE-2018-3639 may have on VMware Virtual Appliances, and while investigations are ongoing we have not found any evidence that VMware Virtual Appliances are affected by this issue.
VMware recommends contacting your operating system vendor to determine whether or not SSBD is recommended. At the time of this article’s publication, multiple OS vendors have decided that SSBD will be disabled by default in their OSes as they have classified the overall risk of CVE-2018-3639 as low to moderate and the performance impact imposed will be non-trivial.
For supplemental information please see the following 3rd party OS documentation:
Redhat: Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639
Microsoft: ADV180012 | Microsoft Guidance for Speculative Store Bypass
CVE-2018-3640 (Rogue System Register Read)
Microcode Mitigations
CVE-2018-3640 is resolved by a microcode update and no code changes are required for any VMware products to mitigate CVE-2018-3640. ESXi patches documented in VMware Security Advisory VMSA-2018-0012.1 may include these microcode updates. Refer to the VMware Knowledge Base articles listed in this advisory for a list of included microcodes. Alternatively, you should also be able to obtain the microcode update for your CPU as part of a firmware/BIOS update from your hardware system vendor.
Note: If newer microcode is already present on your system because of a firmware/BIOS update, ESXi will not replace it with older microcode shipped as part of an ESXi patch/update.
For more information, please see Intel’s Security Center Advisory: INTEL-SA-00115
For the latest information on how mitigations for the aforementioned issues may affect performance, see KB55210.
Hypervisor-Assisted Guest Mitigations
VMware updates that enable Hypervisor-Assisted Guest Mitigations for CVE-2018-3639 are documented in VMware Security Advisory VMSA-2018-0012.1. The required Intel microcode updates are documented in VMware Knowledge Base articles listed in the same advisory. The combination of updates and Intel microcode will expose the Speculative-Store-Bypass-Disable (SSBD) control bit to guest operating systems. Detailed instructions on enabling Hypervisor-Assisted Guest Mitigations for CVE-2018-3639 are found in VMware Knowledge base artcile KB55111.
Operating System-Specific Mitigations
VMware has investigated the impact that CVE-2018-3639 may have on VMware Virtual Appliances, and while investigations are ongoing we have not found any evidence that VMware Virtual Appliances are affected by this issue.
VMware recommends contacting your operating system vendor to determine whether or not SSBD is recommended. At the time of this article’s publication, multiple OS vendors have decided that SSBD will be disabled by default in their OSes as they have classified the overall risk of CVE-2018-3639 as low to moderate and the performance impact imposed will be non-trivial.
For supplemental information please see the following 3rd party OS documentation:
Redhat: Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639
Microsoft: ADV180012 | Microsoft Guidance for Speculative Store Bypass
CVE-2018-3640 (Rogue System Register Read)
Microcode Mitigations
CVE-2018-3640 is resolved by a microcode update and no code changes are required for any VMware products to mitigate CVE-2018-3640. ESXi patches documented in VMware Security Advisory VMSA-2018-0012.1 may include these microcode updates. Refer to the VMware Knowledge Base articles listed in this advisory for a list of included microcodes. Alternatively, you should also be able to obtain the microcode update for your CPU as part of a firmware/BIOS update from your hardware system vendor.
Note: If newer microcode is already present on your system because of a firmware/BIOS update, ESXi will not replace it with older microcode shipped as part of an ESXi patch/update.
For more information, please see Intel’s Security Center Advisory: INTEL-SA-00115
For the latest information on how mitigations for the aforementioned issues may affect performance, see KB55210.
Additional Information
https://newsroom.intel.com/articles/addressing-questions-regarding-additional-security-issues/.
Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.
Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.
Feedback
Yes
No
Powered by
