Basic search

K
vmwareVMwareVMSA-2019-0008
HistoryMay 14, 2019 - 12:00 a.m.

VMware product updates enable Hypervisor-Specific Mitigations, Hypervisor-Assisted Guest Mitigations, and Operating System-Specific Mitigations for Microarchitectural Data Sampling (MDS) Vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091)

2019-05-1400:00:00
www.vmware.com
70

1. Impacted Products

  • VMware vCenter Server (VC)
  • VMware vSphere ESXi (ESXi)
  • VMware Workstation Pro / Player (WS)
  • VMware Fusion Pro / Fusion (Fusion)
  • vCloud Usage Meter (UM)
  • Identity Manager (vIDM)
  • vCenter Server (vCSA)
  • vSphere Data Protection (VDP)
  • vSphere Integrated Containers (VIC)
  • vRealize Automation (vRA)

**2. Introduction **

Intel has disclosed details on speculative-execution vulnerabilities known collectively as “Microarchitectural Data Sampling (MDS)" that can occur on Intel microarchitecture prior to 2nd Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake). These issues may allow a malicious user who can locally execute code on a system to infer data otherwise protected by architectural mechanisms.

There are four uniquely identifiable vulnerabilities associated with MDS:

  • CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS) - CVSSv3 = 6.5
  • CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVSSv3 = 6.5
  • CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS) - CVSSv3 = 6.5
  • CVE-2019-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM) - CVSSv3 = 3.8

To assist in understanding speculative-execution vulnerabilities, VMware previously defined the following mitigation categories:

  • Hypervisor-Specific Mitigations prevent information leakage from the hypervisor or guest VMs into a malicious guest VM. These mitigations require code changes for VMware products.
  • _Hypervisor-Assisted Guest Mitigations _virtualize new speculative-execution hardware control mechanisms for guest VMs so that Guest OSes can mitigate leakage between processes within the VM. These mitigations require code changes for VMware products.
  • Operating System-Specific Mitigations are applied to guest operating systems. These updates will be provided by a 3rd party vendor or in the case of VMware Virtual Appliances, by VMware.
  • Microcode Mitigations are applied to a system’s processor(s) by a microcode update from the hardware vendor. These mitigations do not require hypervisor or guest operating system updates to be effective.

MDS vulnerabilities require Hypervisor-Specific Mitigations (described in section 3a.) Hypervisor-Assisted Guest Mitigations (described in section 3b.) and Operating System-Specific Mitigations (described in section 3c.)

**3a. Hypervisor-Specific Mitigations for MDS vulnerabilities - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091 **

**Description: **

vCenter Server, ESXi, Workstation, and Fusion updates include Hypervisor-Specific Mitigations for MDS speculative execution vulnerabilities. VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

**Known Attack Vectors: **

A malicious user must have local access to a virtual machine and the ability to execute code to infer data otherwise protected by architectural mechanisms from another virtual machine or the hypervisor itself via MDS vulnerabilities.

There are two known attack vector variants for MDS at the Hypervisor level:

  • Sequential-context attack vector (Inter-VM): a malicious VM can potentially infer recently accessed data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core.
  • Concurrent-context attack vector (Inter-VM): a malicious VM can potentially infer recently accessed data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the Hyper-Threading-enabled processor core.

Resolution:

  • The Sequential-context attack vector (Inter-VM): is mitigated by a Hypervisor update to the product versions listed in the table below. These mitigations are dependent on Intel microcode updates (provided in separate ESXi patches for most Intel hardware platforms) listed in the table below. This mitigation is enabled by default and does not impose a significant performance impact.
  • The Concurrent-context attack vector (Inter-VM): is mitigated through enablement of the ESXi Side-Channel-Aware Scheduler Version 1 or Version 2. These options may impose a non-trivial performance impact and are not enabled by default.

Workarounds:

  • There are no known Hypervisor-Specific workarounds for the MDS class of vulnerabilities.

Additional Documentation:

  • vSphere: KB67577 should be thoroughly reviewed to ensure a strong understanding of the Hypervisor-Specific Mitigations enablement process for MDS and potential CPU capacity impacts
  • Workstation/Fusion: KB68025 should be thoroughly reviewed to ensure a strong understanding of the Hypervisor-Specific Mitigations enablement process for MDS and potential CPU capacity impacts.

**Notes: **

  • VMware Hypervisors running on 2nd Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake) are not affected by MDS vulnerabilities.

Acknowledgements:

  • None.

**Resolution Matrix:

**

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server1 6.7 Any N/A N/A N/A 6.7 U2a None KB67577
vCenter Server1 6.5 Any N/A N/A N/A 6.5 U2g None KB67577
vCenter Server1 6.0 Any N/A N/A N/A 6.0 U3i None KB67577
ESXi3 6.7 Any [CVE-2018-12126
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126&gt;)[CVE-2018-12127
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127&gt;)[CVE-2018-12130
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130&gt;)CVE-2019-11091 6.5 Moderate [ESXi670-201911401-BG
ESXi670-201911402-BG2
](<https://my.vmware.com/group/vmware/patch&gt;) None KB67577
ESXi 6.5 Any [CVE-2018-12126
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126&gt;)[CVE-2018-12127
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127&gt;)[CVE-2018-12130
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130&gt;)[CVE-2019-11091
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11091&gt;) 6.5 Moderate [ESXi650-201905401-BG
ESXi650-201905402-BG2](<https://my.vmware.com/group/vmware/patch&gt;) None KB67577
ESXi 6.0 Any [CVE-2018-12126
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126&gt;)[CVE-2018-12127
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127&gt;)[CVE-2018-12130
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130&gt;)[CVE-2019-11091
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11091&gt;) 6.5 Moderate [ESXi600-201905401-BG
ESXi600-201905402-BG2](<https://my.vmware.com/group/vmware/patch&gt;) None KB67577
Workstation3 15.x Any [CVE-2018-12126
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126&gt;)[CVE-2018-12127
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127&gt;)[CVE-2018-12130
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130&gt;)[CVE-2019-11091
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11091&gt;) 6.5 Moderate 15.5.1 None KB68025
Fusion3 11.x Any [CVE-2018-12126
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126&gt;)[CVE-2018-12127
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127&gt;)[CVE-2018-12130
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130&gt;)[CVE-2019-11091
](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11091&gt;) 6.5 Moderate 11.5.1 None KB68025

1. vCenter updates are listed in the above table as a requirement for Hypervisor-Specific Mitigations as these updates include enhanced EVC modes which support the new MD-CLEAR functionality included in ESXi microcode updates.
2. These patches contain updated microcode. At the time of this publication Sandy Bridge DT/EP Microcode Updates (MCUs) had not yet been provided to VMware. Customers on this microarchitecture may request MCUs from their hardware vendor in the form of a BIOS update. This microcode will be included in future releases of ESXi.
3. A regression introduced in ESXi 6.7u2, Workstation 15.5.0, and Fusion 11.5.0 causes Hypervisor-Specific Mitigations for L1TF (CVE-2018-3646) and MDS (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091) to be ineffective. This issue has been resolved in the patches reflected in the table above. This regression does not affect the ESXi 6.5 and 6.0 release lines, nor does it affect ESXi 6.7u2 if the ESXi Side-Channel-Aware Scheduler Version 2 is enabled.

Related for VMSA-2019-0008