Understand L1 Terminal Fault (L1TF) – Impact and Mitigation Plan for VMware Admins

Overview of L1TF Vulnerabilities: –

Intel has disclosed on 14th Aug 2018 new class of three CPU speculative-execution vulnerabilities within its server, client and workstation processors, known as “L1 Terminal Fault (L1TF)” which can occur on past and current Intel processors (from at least 2009 – 2018)

Security

The processor vulnerability goes by L1TF, L1 Terminal Fault, and Foreshadow. Researchers who discovered the problem back in January and reported it to Intel called it “Foreshadow”. It is similar to vulnerabilities discovered in the past such as Spectre and Meltdown.

The new L1 Terminal Fault vulnerability involves a security hole in the CPU’s L1 data cache, a small pool of memory within each processor core that helps determine what instruction the core will execute next. L1 Terminal Fault vulnerability can occur when affected Intel microprocessors speculate beyond an unpermitted data access.

VMware has defined below mentioned four categories for such vulnerabilities.

  • Hypervisor-Specific Mitigations prevent information leakage from the hypervisor or guest VMs into a malicious guest VM. These mitigations require code changes for VMware products.
  • Hypervisor-Assisted Guest Mitigations virtualize new speculative-execution hardware control mechanisms for guest VMs so that Guest OSes can mitigate leakage between processes within the VM. These mitigations require code changes for VMware products.
  • Operating System-Specific Mitigations are applied to guest operating systems. These updates will be provided by a 3rd party vendor or in the case of VMware virtual appliances, by VMware.
  • Microcode Mitigations are applied to a system’s processor(s) by a microcode update from the hardware vendor. These mitigations do not require hypervisor or guest operating system updates to be effective.

What is affected by L1TF: –

This vulnerability is Intel-specific. Other processors such as AMD are not affected.

What is impacted

Intel’s previously released microcode updates are expected to lower the risk of data exposure for consumer and enterprise users running non-virtualized operating systems, Hence, there are no significant performance impacts have been noted with this particular mitigation. For virtual machines, however, the risk is higher.

Three CVEs have been assigned to this issue:

L1TF Vunerabilities

  • CVE-2018-3615 for Intel Software Guard Extensions (L1 Terminal Fault-SGX)

    • Systems with microprocessors utilizing speculative execution and Intel SGX may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via side-channel analysis.
    • Does not affect VMware products and/or services.
    • Reference Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3615
  • CVE-2018-3620 for operating systems and System Management Mode (L1 Terminal Fault-OS/ SMM)

    • Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis.
    • Virtual Appliances are impacted. List of unaffected appliances can be found from here. https://kb.vmware.com/s/article/55807It is recommended to contact 3rd party vendors for appliance patches.
    • Products that ship as an installable windows or linux binary are not directly affected.
    • May also be applicable to customer-controlled environments running in a VMware SaaS offering. Refer to https://kb.vmware.com/s/article/55808.
    • Other Reference Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620
    • Requires Operating System-Specific Mitigations.
  • CVE-2018-3646 for impacts to virtualization (L1 Terminal Fault-VMM)

    • This is specific to Virtual environment and impacting your Virtual machines.
    • Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and side-channel analysis.
    • It impacts hypervisors. It may allow a malicious VM running on a given CPU core to effectively infer contents of the hypervisor’s or another VM’s privileged information residing at the same time in the same core’s L1 Data cache.
    • Requires Hypervisor-Specific Mitigations for hosts running on Intel hardware.

Affected Products: –

The following Intel-based platforms are potentially impacted by these issues.

Intel® Core™ i3 processor (45nm and 32nm)
Intel® Core™ i5 processor (45nm and 32nm)
Intel® Core™ i7 processor (45nm and 32nm)
Intel® Core™ M processor family (45nm and 32nm)
2nd generation Intel® Core™ processors
3rd generation Intel® Core™ processors
4th generation Intel® Core™ processors
5th generation Intel® Core™ processors
6th generation Intel® Core™ processors **
7th generation Intel® Core™ processors **
8th generation Intel® Core™ processors **
Intel® Core™ X-series Processor Family for Intel® X99 platforms
Intel® Core™ X-series Processor Family for Intel® X299 platforms
Intel® Xeon® processor 3400 series
Intel® Xeon® processor 3600 series
Intel® Xeon® processor 5500 series
Intel® Xeon® processor 5600 series
Intel® Xeon® processor 6500 series
Intel® Xeon® processor 7500 series
Intel® Xeon® Processor E3 Family
Intel® Xeon® Processor E3 v2 Family
Intel® Xeon® Processor E3 v3 Family
Intel® Xeon® Processor E3 v4 Family
Intel® Xeon® Processor E3 v5 Family **
Intel® Xeon® Processor E3 v6 Family **
Intel® Xeon® Processor E5 Family
Intel® Xeon® Processor E5 v2 Family
Intel® Xeon® Processor E5 v3 Family
Intel® Xeon® Processor E5 v4 Family
Intel® Xeon® Processor E7 Family
Intel® Xeon® Processor E7 v2 Family
Intel® Xeon® Processor E7 v3 Family
Intel® Xeon® Processor E7 v4 Family
Intel® Xeon® Processor Scalable Family
Intel® Xeon® Processor D (1500, 2100)

** indicates Intel microprocessors affected by CVE-2018-3615 – L1 Terminal Fault: SGX

How to Mitigate L1TF in your VMware Environment: –

Need to ensure that all virtualized operating systems have been updated. Additional steps include turning off hyper-threading in some scenarios and enabling specific hypervisor core scheduling features.

Mitigation of CVE-2018-3615 (L1 Terminal Fault – SGX) – {No action for VMware Admins}:

  • CVE-2018-3615 does not affect VMware products and/or services. Hence no mitigation is required for Vmware admins.

Mitigation of CVE-2018-3620 (L1 Terminal Fault – OS) – {More Specific to 3rd party Vendors}:

  • Mitigation of CVE-2018-3620 requires Operating System-Specific Mitigations.  Impact may have on Virtual Appliances and VMware SaaS Offerings.
  • Products that ship as an installable windows or linux binary are not directly affected, but patches may be required from the respective operating system vendor that these products are installed on.
  • It is recommended to contact 3rd party vendors for appliances and SaaS offerings for mitigation plan of CVE-2018-3620. Like if you are using a Cisco virtual appliance, then you need to contact Cisco vendor for the mitigation plans.
  • For VMware appliances, Vmware has listed the unaffected appliance here. https://kb.vmware.com/s/article/55807

Mitigation of CVE-2018-3646 (L1 Terminal Fault – VMM) – {More specific to VMware Admins}:

  • Mitigation of CVE-2018-3646 requires Hypervisor-Specific Mitigations for hosts running on Intel hardware.
  • As a Vmware admin, you need to focus more on VCE-2018-3646 as it is directly impacting Hypervisors and Virtual machines which have Intel CPU. Affected product list may be find out above.Mitigation Structure
  • Sequential-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core.
  • Concurrent-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the hyperthreading-enabled processor core.

There are three phases to mitigate CVE-2018-3646 as mentioned below.

  1. Update Phase
  2. Planning Phase
  3. Scheduler-Enablement Phase

L1TF Mitigation Phases

Above three mitigation phases for CVE-2018-3646 is defined below in more descriptive way:

To summarize this, here is quick step:

  • Update vCenter Server using Product listed in VMSA
  • Patch your ESXi Hosts using Product listed in VMSA.
  • Enable ESXi Side-Channel-Aware Scheduler using vSphere Web Client.
    • Set option to True of VMkernel.Boot.hyperthreadingMitigation in Advance Setting of ESXi Host.

Mitigation Plan

You can refer to VMware KB Article 55806 to see the depth mitigation plan for CVE-2018-3646.

Your Environment is secure now. Enjoy the monsoon.

That’s all from this article. If you want to add your inputs, please do share in comment box.

sito-e-commerce2

Share this article to others if you found it useful.