VMware response to ‘L1 Terminal Fault - VMM’ (L1TF - VMM) Speculative-Execution vulnerability in Intel processors for VMware Workstation and Fusion: CVE-2018-3646
Article ID: 317620
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This article documents the Hypervisor-Specific Mitigations required for mitigation of CVE-2018-3646 (L1 Terminal Fault - VMM) on VMware Workstation and Fusion products. For the same mitigations on VMware vSphere see KB55806.
The Update History section of this article will be revised when there is a significant change. Click Subscribe to Article in the Actions box to be alerted when new information is added to this document and sign up at our Security-Announce mailing list to receive new and updated VMware Security Advisories.
CVE-2018-3646 is explained in detail in KB55806 which introduces the Sequential and Concurrent attack vector for this CVE.
The Update History section of this article will be revised when there is a significant change. Click Subscribe to Article in the Actions box to be alerted when new information is added to this document and sign up at our Security-Announce mailing list to receive new and updated VMware Security Advisories.
CVE-2018-3646 is explained in detail in KB55806 which introduces the Sequential and Concurrent attack vector for this CVE.
Resolution
Mitigation of the Sequential-attack-vector
Mitigation of the Sequential-attack-vector is done by deploying VMware Workstation Pro and Player 14.1.3 or greater, and VMware Fusion or Fusion Pro 10.1.3 or greater, as listed in VMSA-2018-0020. This mitigation is enabled by default and poses a minimal performance impact (refer to KB55767 for performance data).
Mitigation of the Concurrent-attack-vector
Mitigation of the Concurrent-attack-vector requires disabling Hyper-Threading Technology (HT) CPU features.
Disabling Hyper-Threading may have a measurable performance impact on your application. For this reason, before disabling HT, it is important to review your host capacity to confirm whether or not your host will have sufficient resources (i.e. host CPU cores) to run the desired VMs after disabling HT.
Disabling Hyper-Threading on systems running VMware Workstation
Disabling Hyper-Threading on a Windows or Linux host running VMware Workstation requires configuration changes at the system BIOS/EFI level. Refer to your motherboard / system hardware manufacturer’s guidance on how to disable this option from your BIOS/EFI firmware utility.
Disabling Hyper-Threading on Macs running VMware Fusion
For macOS Hosts running VMware Fusion, VMware has developed and provided a utility to disable Hyper-Threading. This utility, which includes usage instructions, has been attached to this Knowledge Base article. This utility is for macOS only and does not run on Windows or Linux systems.
MD5 checksum of the downloadable archive: 2d65192600b90ebbf5e01b8e0bf5832d
SHA1 checksum of the downloadable archive: f7e69d70de079e98c670303678f6ac0c9f1227ae
Note: If you choose not to disable HT, the Concurrent attack vector will not be mitigated.
Some systems do not allow for HT to be disabled. If HT cannot be disabled in BIOS or the hosted OS of the processor platform, then the Concurrent attack vector cannot be mitigated and a malicious VM may be able to infer secrets of another VM or the host OS using CVE-2018-3646. This case cannot be mitigated by a hypervisor running in a hosted OS environment, regardless of patch level. The only solution in this case that ensures complete mitigation is to run sensitive VMs on other processor platforms where HT is disabled. Customers that choose to continue running VMs on processor platforms where HT cannot be disabled should be aware that CVE-2018-3646 is not completely mitigated.
Users should therefore analyze their performance and security requirements, and the trust level of the virtual machines running on their hosts, to determine the appropriate mitigation response to CVE-2018-3646.
Mitigation of the Sequential-attack-vector is done by deploying VMware Workstation Pro and Player 14.1.3 or greater, and VMware Fusion or Fusion Pro 10.1.3 or greater, as listed in VMSA-2018-0020. This mitigation is enabled by default and poses a minimal performance impact (refer to KB55767 for performance data).
Mitigation of the Concurrent-attack-vector
Mitigation of the Concurrent-attack-vector requires disabling Hyper-Threading Technology (HT) CPU features.
Disabling Hyper-Threading may have a measurable performance impact on your application. For this reason, before disabling HT, it is important to review your host capacity to confirm whether or not your host will have sufficient resources (i.e. host CPU cores) to run the desired VMs after disabling HT.
Disabling Hyper-Threading on systems running VMware Workstation
Disabling Hyper-Threading on a Windows or Linux host running VMware Workstation requires configuration changes at the system BIOS/EFI level. Refer to your motherboard / system hardware manufacturer’s guidance on how to disable this option from your BIOS/EFI firmware utility.
Disabling Hyper-Threading on Macs running VMware Fusion
For macOS Hosts running VMware Fusion, VMware has developed and provided a utility to disable Hyper-Threading. This utility, which includes usage instructions, has been attached to this Knowledge Base article. This utility is for macOS only and does not run on Windows or Linux systems.
MD5 checksum of the downloadable archive: 2d65192600b90ebbf5e01b8e0bf5832d
SHA1 checksum of the downloadable archive: f7e69d70de079e98c670303678f6ac0c9f1227ae
Note: If you choose not to disable HT, the Concurrent attack vector will not be mitigated.
Some systems do not allow for HT to be disabled. If HT cannot be disabled in BIOS or the hosted OS of the processor platform, then the Concurrent attack vector cannot be mitigated and a malicious VM may be able to infer secrets of another VM or the host OS using CVE-2018-3646. This case cannot be mitigated by a hypervisor running in a hosted OS environment, regardless of patch level. The only solution in this case that ensures complete mitigation is to run sensitive VMs on other processor platforms where HT is disabled. Customers that choose to continue running VMs on processor platforms where HT cannot be disabled should be aware that CVE-2018-3646 is not completely mitigated.
Users should therefore analyze their performance and security requirements, and the trust level of the virtual machines running on their hosts, to determine the appropriate mitigation response to CVE-2018-3646.
Additional Information
Attachments
Feedback
Yes
No
Powered by
