Author Archives: Edward Hawkins

VMware Response to CVE-2018-1002105

Greetings from the VMware Security Response Center!

Yesterday Kubernetes disclosed CVE-2018-1002105 – a critical severity vulnerability in the Kubernetes API server. For more details on the vulnerability please see Kubernetes’ announcement here:

https://discuss.kubernetes.io/t/kubernetes-security-announcement-v1-10-11-v1-11-5-v1-12-3-released-to-address-cve-2018-1002105/3700

This vulnerability affects the following VMware products:

-VMware Pivotal Container Service (PKS)
-VMware vCloud Director Container Service Extension (CSE)
-Photon OS

There will be no VMware Security Advisory since remediation for these products has already been documented in a separate advisory or the offering’s github page.

Remediation Information:

PKS – Fixed in 1.2.3
Documentation: https://docs.pivotal.io/runtimes/pks/1-2/release-notes.html
Advisory: https://pivotal.io/security/cve-2018-1002105

CSE – Fixed in 1.2.5
Documentation: https://vmware.github.io/container-service-extension/RELEASE_NOTES.html

Photon OS – Fixed in 1.10.11-1 and 1.11.5-1
Advisory: https://github.com/vmware/photon/wiki/Security-Updates-2-112

For our service offerings that use Kubernetes, mitigations are already in place which have closed down the critical severity attack vector associated with CVE-2018-1002105 while full remediation is in progress.

VMware Security Advisory: VMSA-2018-0024

Today VMware has released the following new and updated security advisories:

VMSA-2018-0024 – https://www.vmware.com/security/advisories/VMSA-2018-0024.html

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware Security Advisory VMSA-2018-0020 and VMSA-2018-0021 – L1 Terminal Fault (L1TF): CVE-2018-3646, CVE-2018-3620, and CVE-2018-3615

Greetings from the VMware Security Response Center!

Today we have published security advisories, knowledge base articles, updates, patches, and tools in response to new Speculative-Execution vulnerabilities in Intel processors known collectively as ‘L1 Terminal Fault’ or ‘L1TF.’

These vulnerabilities are identified by CVE-2018-3646, CVE-2018-3620, and CVE-2018-3615.

There is a lot of documentation on this event, so I wanted to summarize the core points in a short message.

The important stuff:

KB article 55636 should be considered the centralized source of truth for this event. Make sure you click ‘Subscribe to Article’ in the Actions box of this article to be alerted when any publication on L1TF is updated. That article links off to detailed responses for the individual issues.

CVE-2018-3646 is the most severe of the L1TF issues and affects hypervisors using Intel processors. It has 2 known attack vectors which both need to be mitigated. The first attack vector is mitigated through a vSphere update process including vCenter and ESXi. The second attack vector is mitigated by enabling a new advanced configuration option hyperthreadingMitigation included in the updates. This advanced configuration option may have a performance impact so we have not enabled it by default. This will limit your operational risk by giving you time to analyze your environment’s capacity prior to enabling the mitigation.

CVE-2018-3620 is a local privilege escalation which requires base operating system (SLES/Photon) updates for mitigation. Patches are pending for affected appliances, but most have workarounds documented. Make sure you contact your 3rd party operating system vendor(s) for mitigation instructions as well.

CVE-2018-3615 does not affect VMware products.

Customers should review the security advisories and direct any questions to VMware Support.

VMware Security Advisory: VMSA-2018-0018

Today VMware has released the following new and updated security advisories:

VMSA-2018-0018

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA-2018-0015

Today VMware has released the following new and updated security advisories:

VMSA-2018-0015 – https://www.vmware.com/security/advisories/VMSA-2018-0015.html

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA-2018-0012

Greetings from the VMware Security Response Center!

Today we released VMSA-2018-0012 which documents Hypervisor-Assisted Guest Mitigations for CVE-2018-3639 (Speculative Store Bypass). In addition CVE-2018-3640 (Rogue System Register Read) was also disclosed today.

We thought a few points and a documentation summary would be in order to help sum up what this issue means for VMware products:

CVE-2018-3639

The issue requires Hypervisor-Assisted Guest Mitigations for vSphere to pass the new Speculative-Store-Bypass-Disable (SSBD) control bit to guest operating systems, it has been classified as Moderate severity. ESXi and vCenter updates will be required.
Microcode containing the SSBD control bits are not yet available from 3rd parties so vSphere patches are on hold for now.
Workstation/Fusion patches shipped today will support SSBD when microcode patches are available.
This issue affects applications and/or execution runtimes which rely on managed code security mechanisms. Applications which consume untrusted data and rely on these mechanisms are at risk.
Operating System-Specific Mitigations are required as well, but we have not found any VMware appliances which would be affected by this issue. Regardless, we will be updating applicable open-source software in upcoming maintenance releases as a precautionary measure.

CVE-2018-3640

This issue led to a 4th speculative execution category which we have called Microcode Mitigations.
This issue is resolved by a microcode update and does not require any code changes for VMware products. Please contact your hardware vendor for information on mitigations for this vulnerability.

Based on current evaluations, we do not believe that CVE-2018-3639 or CVE-2018-3640 could allow for VM to VM or Hypervisor to VM Information disclosure. Thus, Hypervisor-Specific Mitigations are not required.

Documentation Summary:

Advisory: VMSA-2018-0012
Source of Truth KB: KB54951
Patching/Upgrade Guide: KB55111
Performance Info: KB55210

Customers should review the available documentation and direct questions to VMware Support.

NVIDIA GPU Display Driver Security Updates for Multiple Vulnerabilities

Greetings from the VMware Response Center!

Today we wanted to make you aware that NVIDIA has released a security bulletin entitled NVIDIA GPU Display Driver Security Updates for Multiple Vulnerabilities which details some NVIDIA GPU Display Driver Vulnerabilities and remediation.

CVE-2018-6251 and CVE-2018-6253 have been shown to affect VMware Workstation, but they are not something that we can fully resolve from our end. Therefore, we wanted to make sure you were informed of these issues so that they can be appropriately resolved. In addition, enterprise customers should check the NVIDIA Enterprise Dashboard for additional information.

Customers should review the available documentation and direct technical inquiries to VMware Support for further assistance.

VMSA-2018-0004.3

Greetings from the VMware Security Response Center!

It’s time.

Today we released VMSA-2018-0004.3 which documents Hypervisor-Assisted Guest Mitigations for CVE-2017-5715 (Spectre-2).

We thought it would be a good idea to quickly link all of the documentation which has undergone a major change. For newcomers, please familiarize yourself by reading through KB52245 first to get a strong understanding of the various categories of mitigations that VMware has provided.

Major Updates:

Updated Advisory: VMSA-2018-0004.3
Top-level KB: 52245
Patching/Upgrade Guide: 52085
Performance Info: 52337
Intel microcode sightings: 52345

Customers should review the available documentation and direct questions to VMware Support.

VMware Security Advisory VMSA-2018-0007

Today VMware has released the following new and updated security advisories:

VMSA-2018-0007

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware Security Advisory VMSA-2018-0006

Today VMware has released the following new and updated security advisories:

VMSA-2018-0006 – vRealize Automation, vSphere Integrated Containers, and AirWatch Console updates address multiple security vulnerabilities

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.