Intel Corporation has released security advisory INTEL-SA-00329, in which they disclose new CPU vulnerabilities present in their CPU product families (L1D Eviction Sampling, aka “CacheOut,” and Vector Register Sampling). Intel has disclosed these issues but has not yet provided new CPU microcode that resolves or mitigates the issues.
VMware ships CPU microcode updates as part of vSphere, which helps the hypervisor control how the CPU acts. In effect, patching vSphere also means that you are patching your CPUs. Once the updates become available from Intel, VMware will test the CPU updates and include them as part of regular releases for both on-premises vSphere as well as VMware Cloud solutions.
This post is intended to help VMware customers understand these types of complicated issues, as remediating CPU vulnerabilities often involves tradeoffs between performance, features, and business risk. VMware is tracking this officially in KB 76949, VMware response to Vector Register Sampling (CVE-2020-0548) and L1D Eviction Sampling (CVE-2020-0549) speculation execution vulnerabilities in Intel processors (76949). You can subscribe to KB articles to be notified of updates. This is also a good time to verify that you are subscribed to the VMware Security Advisory mailing lists to be notified about vulnerabilities in VMware products.
Vector Register Sampling (CVE-2020-0548)
What it is: This is an issue left over from the November 2019 advisories on side-channel attacks in the Transactional Synchronization Extensions (TSX) present in Cascade Lake CPUs.
What you need to do: Keep vSphere and your server firmware updated on a regular schedule. Read the release notes for updates. After Intel supplies updated CPU microcode to VMware, and VMware tests it, it will be included and mentioned in a future update.
What effect will it have: If you have not yet applied server firmware or vSphere updates containing the November 2019 mitigations please review the document listed below because that update from Intel did have performance and functional impacts, and the updates will be cumulative.
- vSphere & Intel JCC, TAA, and MCEPSC/IFU: What You Need to Know (our blog post on the November 2019 CPU vulnerabilities)
- Vector Register Sampling / CVE-2020-0548 / INTEL-SA-00329 (Intel advisory)
- Processors Affected: Vector Register Sampling
L1D Eviction Sampling (CVE-2020-0549), “CacheOut”
What it is: L1D Eviction Sampling is a vulnerability where data may leak to an attacker. It requires the attacker to have direct access to a guest operating system running inside a virtual machine. The researchers that discovered these vulnerabilities have named it “CacheOut.”
What you need to do: Apply & verify remediations for L1TF & MDS to protect yourself until Intel releases updates. Keep vSphere and your server firmware updated regularly. Watch for future updates to server firmware and VMware vSphere. Patch guest OSes, practice the principle of least privilege, and practice good account and password hygiene.
What effect will it have: If you have not applied the remediations for L1TF & MDS please review the VMware documentation and guidance, linked below. Those remediations can have performance impacts and should not be enabled without some consideration of performance and business risk.
- cacheoutattack.com (has information from the security researchers who discovered this)
- Processors Affected: L1D Eviction Sampling
- Which vSphere CPU Scheduler to Choose? (guidance on remediating L1TF & MDS using the side-channel aware schedulers, and links to all other relevant documentation)
- VMSA-2019-0008.2 (VMware’s official security guidance around MDS)
- vSphere 6.7 CPU Scheduler Advisor Wizard (includes analysis of risk versus performance)
- L1D Eviction Sampling / CVE-2020-0549 / INTEL-SA-00329 (Intel advisory)
- mdsattacks.com (has the “RIDL Test Suite and PoCs” with useful tools to verify your MDS remediations)
So… should I be worried?
Until Intel ships microcode that addresses these issues we cannot be completely certain, but from a vSphere perspective it looks as if these will not be big issues for customers who have already remediated L1TF & MDS.
Frequently Asked Questions
Q1: When will Intel ship the mitigated CPU microcode?
A1: Intel has not announced when these updates will ship.
Q2: What updates from VMware will contain the new Intel CPU microcode?
A2: As Intel has not announced or supplied updates we cannot determine that.
Q3: How can I receive updates on this topic?
A3: Visit the official KB article about this issue (KB 76949) and follow its instructions to subscribe to it.
Q4: Does this issue have a VMSA associated with it?
A4: No — this is not a vulnerability in a VMware product. It is a vulnerability in Intel products and therefore has an Intel Security Advisory.
Q5: How do I know if I am affected by these issues?
A5: Use the “Processors Affected” links listed above, and/or check with your hardware manufacturer.
Q6: Does this affect AMD CPUs?
A6: There is no mention of this particular issue on the AMD Product Security web page. Always check with your hardware manufacturer for guidance & the latest firmware, as there are security updates for AMD-based systems from time to time, too.