Spectre-NG – CVE-2018-3639 and CVE-2018-3640

As you might already have heard via other sources, two new variants of the Spectre Attack have been made public in May.

Spectre Variante 3a Rogue System Register Read CVE-2018-3640
Spectre Variante 4 Speculative Store Bypass CVE-2018-3639

Q2 2018 Speculative Execution Side Channel Update

CPU-Sicherheitslücken Spectre-NG: Updates rollen an (German)

From a VMware perspective updates for both were released last week. Here are the corresponding Security Advisory (VMSA-2018-0012.1) and KB article (KB54951).

vSphere 6.7
vCenter 6.7b http://kb.vmware.com/kb/55726 Download
ESXi 6.7
ESXi670-201806001 https://kb.vmware.com/s/article/55917 Download
ESXi670-201806401-BG https://kb.vmware.com/s/article/55920
ESXi670-201806402-BG https://kb.vmware.com/s/article/55921
ESXi670-201806403-BG https://kb.vmware.com/s/article/56334
vSphere 6.5
vCenter 6.5 U2b http://kb.vmware.com/kb/54875 Download
ESXi 6.5
ESXi650-201806001 https://kb.vmware.com/s/article/55912 Download
ESXi650-201806401-BG https://kb.vmware.com/s/article/55915
ESXi650-201806402-BG https://kb.vmware.com/s/article/55916
vSphere 6.0
vCenter 6.0 U3f http://kb.vmware.com/kb/55725 Download
ESXi 6.0
ESXi600-201805001 https://kb.vmware.com/s/article/55907 Download
ESXi600-201806401-BG https://kb.vmware.com/s/article/55910
ESXi600-201806402-BG https://kb.vmware.com/s/article/55911

I created the above list to get access to the corresponding KB article more quickly as well as to the downloads. Normally you would update your ESXi hosts through VUM (VMware Update Manager) and your vCenter through the VAMI interface. Sometimes there is a requirement (e.g. environment without internet access) where you need to download the mentioned offline bundles respectively the vCenter patch ISOs.

For everybody running already vSphere 6.5 in their environment they would need to update to 6.5 U2.

Because there is still a backup problematic going on and only a handful of backup vendors support 6.5 U2 currently, I strongly recommend to NOT update to 6.5 U2 yet.

For more information, please refer to the KBs listed below.

———————————————————————————————————————————————–

VMSA-2018-0012

VMware vSphere, Workstation and Fusion updates enable Hypervisor-Assisted Guest Mitigations for Speculative Store Bypass issue.

https://www.vmware.com/security/advisories/VMSA-2018-0012.html

VMware Response to Speculative Execution security issues, CVE-2018-3639 and CVE-2018-3640 (54951)

https://kb.vmware.com/s/article/54951

CVE-2018-3639 (Speculative Store Bypass)

Hypervisor-Assisted Guest Mitigations

VMware updates that enable Hypervisor-Assisted Guest Mitigations for CVE-2018-3639 are documented in VMSA-2018-0012. This mitigation requires Intel microcode updates which, at the time of this article’s publication, are not yet available. The combination of Intel microcode and VMSA-2018-0012 updates will expose the Speculative-Store-Bypass-Disable (SSBD) control bit to guest operating systems. Detailed instructions on enabling Hypervisor-Assisted Guest Mitigations for CVE-2018-3639 are found in KB55111.

Operating System-Specific Mitigations

VMware has investigated the impact that CVE-2018-3639 may have on VMware Virtual Appliances, and while investigations are ongoing we have not found any evidence that VMware Virtual Appliances are affected by this issue.

VMware recommends contacting your operating system vendor to determine whether or not SSBD is recommended. At the time of this article’s publication, multiple OS vendors have decided that SSBD will be disabled by default in their OSes as they have classified the overall risk of CVE-2018-3639 as low and the performance impact imposed will be non-trivial.

CVE-2018-3640 (Rogue System Register Read)

Microcode Mitigations

CVE-2018-3640 is resolved by a microcode update. ESXi will include the mitigating microcode updates for supported CPUs as a convenience, after they have been provided to us and tested by VMware. Alternatively, you should also be able to obtain the microcode update for your CPU as part of a firmware/BIOS update from your hardware system vendor. Code changes are not required for any VMware products to mitigate CVE-2018-3640. Included microcode will be documented in ESXi release notes.

Note: If newer microcode is already present on your system because of a firmware/BIOS update, ESXi will not replace it with older microcode shipped as part of an ESXi patch/update.

For the latest information on how mitigations for the aforementioned issues may affect performance, see KB55210.

———————————————————————————————————————————————–

Hypervisor-Assisted Guest Mitigation for CVE-2018-3639 (Speculative Store Bypass) (55111)

https://kb.vmware.com/s/article/55111

Mitigation of CVE-2018-3639 within a VM or native OS is greatly assisted by a new speculative-execution control bit known as Speculative-Store-Bypass-Disable (SSBD).  In order to use this hardware feature within virtual machines, new Hypervisor-Assisted Guest Mitigations must be enabled to pass this control bit to the Guest OSes.

For each virtual machine, enable Hypervisor-Assisted Guest Mitigation for CVE-2018-3639 via the following steps:

  1. Apply all applicable security patches for your Guest OS which have been made available from the OS vendor.
  2. Ensure that your VMs are using Virtual Hardware Version 9 or higher. See KB1010675 for details on Virtual Hardware versions and requirements. For best performance, Virtual Hardware Version 11 or higher is recommended. Virtual Hardware Version 11 enables PCID/INVPCID.
  3. Power Off and then Power On the virtual machine (Restart is insufficient).

———————————————————————————————————————————————–