Enabling Hypervisor-Specific Mitigations for Machine Check Error on Page Size Change (MCEPSC) Speculative-Execution vulnerability (CVE-2018-12207)
Article ID: 318828
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
Speculative-Execution vulnerabilities have been disclosed which affect Intel processors. Hypervisor-Specific Mitigations for one of these vulnerabilities, identified by CVE-2018-12207, is not enabled by default. This article documents the instructions for enabling this mitigation on ESXi. For information on the security implication of CVE-2018-12207, see VMSA-2019-0020 .
Environment
VMware vSphere ESXi 6.0
VMware vSphere ESXi 6.5
VMware vSphere ESXi 7.0.x
VMware vSphere ESXi 6.7
VMware vSphere ESXi 6.5
VMware vSphere ESXi 7.0.x
VMware vSphere ESXi 6.7
Cause
This issue occurs due to the Machine Check Error on Page Size Change (MCEPSC) Speculative-Execution vulnerability identified by CVE-2018-12207.
Resolution
Important: Performance impact data found in KB76050 should be reviewed prior to enabling this mitigation.
Mitigations can be applied at either the host or guest level.
To enable Hypervisor-Specific Mitigations for CVE-2018-12207 at the host level perform the following steps:
Note: The change to /etc/vmware/config should normally persist across reboot. However, if you are using host profiles, you should recapture the host profile after editing /etc/vmware/config to ensure that the host profile does not remove it.
To enable Hypervisor-Specific Mitigations for CVE-2018-12207 at the guest level perform the following steps:
Mitigations can be applied at either the host or guest level.
To enable Hypervisor-Specific Mitigations for CVE-2018-12207 at the host level perform the following steps:
- Update the ESXi host with the patches detailed in section 3a of VMSA-2019-0020 .
- Connect to the host with an SSH session.
- Edit the /etc/vmware/config file.
- Add this line:
monitor.if_pschange_mc_workaround = "TRUE"
- Perform one of these options to apply the changes:
- Power Off and then Power On the virtual machines (Restart is insufficient)
- Suspend and resume the virtual machines
- vMotion the VM to a different patched host
- vMotion the VM to a different unpatched host and then back to a patched host
- Verify that the vmware.log file shows that that disable_mmu_largepages has been applied. You will see an entry similar to:
YYYY-MM-DDTHH:MM:SS.349Z| vmx| I125: DICT monitor.if_pschange_mc_workaround = "TRUE"
Note: The change to /etc/vmware/config should normally persist across reboot. However, if you are using host profiles, you should recapture the host profile after editing /etc/vmware/config to ensure that the host profile does not remove it.
To enable Hypervisor-Specific Mitigations for CVE-2018-12207 at the guest level perform the following steps:
- Update ESXi with the appropriate patches detailed in section 3a of VMSA-2019-0020 .
- Navigate to where the VM is stored and edit the VM_name.vmx.
- Add this line:
monitor.if_pschange_mc_workaround = "TRUE"
- Perform one of these options to apply the changes
- Power Off and then Power On the virtual machine (Restart is insufficient)
- Suspend and resume the virtual machine
- vMotion the VM to a different patched host
- vMotion the VM to a different unpatched host and then back to a patched host
Feedback
Yes
No
Powered by
