L1 Terminal Fault


CVE-2018-3646 – L1 Terminal Fault

Intel has disclosed details on a new class of CPU speculative-execution vulnerabilities known collectively as “L1 Terminal Fault” that can occur on past and current Intel processors (from at least 2009 – 2018) [See Table 1 for supported vSphere processors that are affected].

Like Meltdown, Rogue System Register Read, and “Lazy FP state restore”, the “L1 Terminal Fault” vulnerability can occur when affected Intel microprocessors speculate beyond an unpermitted data access. By continuing the speculation in these cases, the affected Intel microprocessors expose a new side-channel for attack. (Note, however, that architectural correctness is still provided as the speculative operations will be later nullified at instruction retirement.) 
CVE-2018-3646 is one of these Intel microprocessor vulnerabilities and impacts hypervisors. It may allow a malicious VM running on a given CPU core to effectively infer contents of the hypervisor’s or another VM’s privileged information residing at the same time in the same core’s L1 Data cache. Because current Intel processors share the physically-addressed L1 Data Cache across both logical processors of a Hyperthreading (HT) enabled core, indiscriminate simultaneous scheduling of software threads on both logical processors creates the potential for further information leakage. CVE-2018-3646 has two currently known attack vectors which will be referred to here as “Sequential-Context” and “Concurrent-Context.” Both attack vectors must be addressed to mitigate CVE-2018-3646..

Attack Vector Summary

Sequential-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core.

Concurrent-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the Hyper-Threading enabled processor core

Mitigation Summary

The Sequential-context attack vector is mitigated by a vSphere update to the product versions listed in the table below. This mitigation is dependent on Intel microcode updates (provided in separate ESXi patches for most Intel hardware platforms) also listed in the table below. This mitigation is enabled by default and does not impose a significant performance impact.

The Concurrent-context attack vector is mitigated through enablement of a new feature known as the ESXi Side-Channel-Aware Scheduler. This feature may impose a non-trivial performance impact and is not enabled by default.

 

VMware has confirmed VMM vulnerability on VMware vSphere, Workstation, and Fusion updates enable Hypervisor-Specific Mitigations for L1 Terminal Fault. This issue may allow a malicious VM running on a given CPU core to effectively read the hypervisor’s or another VM’s privileged information that resides sequentially or concurrently in the same core’s L1 Data cache.

List of Products effected and patch details:

 

VMware Product

 

Product Version

 

Replace with/ Apply Patch

VC

6.7 6.7.0d

VC

6.5 6.5u2c

VC

6

6.0u3h

VC

5.5

5.5u3j

ESXi

6.7

ESXi670-201808401-BG

ESXi670-201808402-BG

ESXi670-201808403-BG

ESXi

6.5

ESXi650-201808401-BG

ESXi650-201808402-BG

ESXi650-201808403-BG

ESXi

6

ESXi600-201808401-BG

ESXi600-201808402-BG

ESXi600-201808403-BG

ESXi

5.5

ESXi550-201808401-BG

ESXi550-201808402-BG

ESXi550-201808403-BG

WS 14.x

14.1.3

Fusion 10.x

10.1.3

 

Mitigation Plan

 

Reference articles:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646

https://www.vmware.com/security/advisories/VMSA-2018-0020.html

https://kb.vmware.com/s/article/55767

https://kb.vmware.com/s/article/55636

https://kb.vmware.com/s/article/55806






Subscribe via Email

Enter your email address to subscribe to this site and receive notifications of my new posts by email.




Archives