Author Archives: Edward Hawkins

VMware Security Advisory VMSA-2018-0020 and VMSA-2018-0021 – L1 Terminal Fault (L1TF): CVE-2018-3646, CVE-2018-3620, and CVE-2018-3615

Greetings from the VMware Security Response Center!

Today we have published security advisories, knowledge base articles, updates, patches, and tools in response to new Speculative-Execution vulnerabilities in Intel processors known collectively as ‘L1 Terminal Fault’ or ‘L1TF.’

These vulnerabilities are identified by CVE-2018-3646, CVE-2018-3620, and CVE-2018-3615.

There is a lot of documentation on this event, so I wanted to summarize the core points in a short message.

The important stuff:

KB article 55636 should be considered the centralized source of truth for this event. Make sure you click ‘Subscribe to Article’ in the Actions box of this article to be alerted when any publication on L1TF is updated. That article links off to detailed responses for the individual issues.

CVE-2018-3646 is the most severe of the L1TF issues and affects hypervisors using Intel processors. It has 2 known attack vectors which both need to be mitigated. The first attack vector is mitigated through a vSphere update process including vCenter and ESXi. The second attack vector is mitigated by enabling a new advanced configuration option hyperthreadingMitigation included in the updates. This advanced configuration option may have a performance impact so we have not enabled it by default. This will limit your operational risk by giving you time to analyze your environment’s capacity prior to enabling the mitigation.

CVE-2018-3620 is a local privilege escalation which requires base operating system (SLES/Photon) updates for mitigation. Patches are pending for affected appliances, but most have workarounds documented. Make sure you contact your 3rd party operating system vendor(s) for mitigation instructions as well.

CVE-2018-3615 does not affect VMware products.

Customers should review the security advisories and direct any questions to VMware Support.

VMware Security Advisory: VMSA-2018-0018

Today VMware has released the following new and updated security advisories:

VMSA-2018-0018

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA-2018-0015

Today VMware has released the following new and updated security advisories:

VMSA-2018-0015 – https://www.vmware.com/security/advisories/VMSA-2018-0015.html

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA-2018-0012

Greetings from the VMware Security Response Center!

Today we released VMSA-2018-0012 which documents Hypervisor-Assisted Guest Mitigations for CVE-2018-3639 (Speculative Store Bypass). In addition CVE-2018-3640 (Rogue System Register Read) was also disclosed today.

We thought a few points and a documentation summary would be in order to help sum up what this issue means for VMware products:

CVE-2018-3639

The issue requires Hypervisor-Assisted Guest Mitigations for vSphere to pass the new Speculative-Store-Bypass-Disable (SSBD) control bit to guest operating systems, it has been classified as Moderate severity. ESXi and vCenter updates will be required.
Microcode containing the SSBD control bits are not yet available from 3rd parties so vSphere patches are on hold for now.
Workstation/Fusion patches shipped today will support SSBD when microcode patches are available.
This issue affects applications and/or execution runtimes which rely on managed code security mechanisms. Applications which consume untrusted data and rely on these mechanisms are at risk.
Operating System-Specific Mitigations are required as well, but we have not found any VMware appliances which would be affected by this issue. Regardless, we will be updating applicable open-source software in upcoming maintenance releases as a precautionary measure.

CVE-2018-3640

This issue led to a 4th speculative execution category which we have called Microcode Mitigations.
This issue is resolved by a microcode update and does not require any code changes for VMware products. Please contact your hardware vendor for information on mitigations for this vulnerability.

Based on current evaluations, we do not believe that CVE-2018-3639 or CVE-2018-3640 could allow for VM to VM or Hypervisor to VM Information disclosure. Thus, Hypervisor-Specific Mitigations are not required.

Documentation Summary:

Advisory: VMSA-2018-0012
Source of Truth KB: KB54951
Patching/Upgrade Guide: KB55111
Performance Info: KB55210

Customers should review the available documentation and direct questions to VMware Support.

NVIDIA GPU Display Driver Security Updates for Multiple Vulnerabilities

Greetings from the VMware Response Center!

Today we wanted to make you aware that NVIDIA has released a security bulletin entitled NVIDIA GPU Display Driver Security Updates for Multiple Vulnerabilities which details some NVIDIA GPU Display Driver Vulnerabilities and remediation.

CVE-2018-6251 and CVE-2018-6253 have been shown to affect VMware Workstation, but they are not something that we can fully resolve from our end. Therefore, we wanted to make sure you were informed of these issues so that they can be appropriately resolved. In addition, enterprise customers should check the NVIDIA Enterprise Dashboard for additional information.

Customers should review the available documentation and direct technical inquiries to VMware Support for further assistance.

VMSA-2018-0004.3

Greetings from the VMware Security Response Center!

It’s time.

Today we released VMSA-2018-0004.3 which documents Hypervisor-Assisted Guest Mitigations for CVE-2017-5715 (Spectre-2).

We thought it would be a good idea to quickly link all of the documentation which has undergone a major change. For newcomers, please familiarize yourself by reading through KB52245 first to get a strong understanding of the various categories of mitigations that VMware has provided.

Major Updates:

Updated Advisory: VMSA-2018-0004.3
Top-level KB: 52245
Patching/Upgrade Guide: 52085
Performance Info: 52337
Intel microcode sightings: 52345

Customers should review the available documentation and direct questions to VMware Support.

VMware Security Advisory VMSA-2018-0007

Today VMware has released the following new and updated security advisories:

VMSA-2018-0007

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware Security Advisory VMSA-2018-0006

Today VMware has released the following new and updated security advisories:

VMSA-2018-0006 – vRealize Automation, vSphere Integrated Containers, and AirWatch Console updates address multiple security vulnerabilities

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA-2018-0002 and VMSA-2018-0004

Update 01/10/18: VMSA-2018-0004 has been released detailing Hypervisor-Assisted Guest Mitigation fixes. An explanation of the different types of mitigations being provided by VMware can be found in KB52245. Please note that if you have applied the patches listed in VMSA-2018-0004 you do not need the patches listed in VMSA-2018-0002.

Update 01/04/18: OS vendors have begun issuing patches that address CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 for their operating systems. For these patches to be fully functional in a guest OS additional ESXi and vCenter Server updates will be required. These updates are being given the highest priority. Please sign up to the Security-Announce mailing list to be alerted when these updates are available.

Today VMware has released the following new security advisory:

VMSA-2018-0002 – VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.

This advisory documents remediation for known variants of the Bounds-Check Bypass (CVE-2017-5753) and Branch Target Injection (CVE-2017-5715) issues due to speculative execution disclosed today by Google Project Zero. These issues may result in information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host.

A third issue due to speculative execution, Rogue Data Cache Load (CVE-2017-5754), was disclosed along the other two issues. It does not affect ESXi, Workstation, and Fusion because ESXi does not run untrusted user mode code, and Workstation and Fusion rely on the protection that the underlying operating system provides.

The remediation as documented in VMSA-2018-0002, has been present in VMware Cloud on AWS since early December 2017.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

VMSA-2018-0001

New VMware Security Advisory VMSA-2018-0001

On January 2nd 2018 VMware released the following new security advisory:

VMSA-2018-0001 – vSphere Data Protection (VDP) updates address multiple security issues.

This documents several critical severity issues affecting VDP.

Issue (a) is an authenication bypass vulnerability (CVE-2017-15548). A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems.

Issue (b) is an arbitrary file upload vulnerability (CVE-2017-15549). A remote authenticated malicious user with low privileges could potentially upload arbitrary maliciously crafted files in any location on the server file system.

Issue (c) is a path traversal vulnerability (CVE-2017-15550). A remote authenticated malicious user with low privileges could access arbitrary files on the server file system in the context of the running vulnerable application.

These issues have been addressed in VDP 6.1.6 and 6.0.7.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.