VMSA-2018-0002 Meltdown and Specter

VMware Security Advisory VMSA-2018-0002 – Meltdown and Spectre Vulnerabilities

Google Project Zero released yesterday information about two vulnerabilities with impact to major processors vendors: Meltdown (CVE-2017-5754 – rogue data cache load) and Spectre (CVE-2017-5753 – bounds check bypass & CVE-2017-5715 – branch target injection). Among other organizations, VMware released a security advisory: VMSA-2018-0002 – VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.

How to patch your vCenter / ESXi infrastructure against speculative execution vulnerabilities (Meltdown and Spectre). Products, versions, patches, order of upgrade, dependencies, warnings. VMware Patches for Spectre

Meltdown and Spectre Overview

Meltdown breaks the isolation between user applications and the operating system, and allows an application to access all system memory (this includes kernel allocated memory). Meltdown affects a range of  Intel processors.

Spectre breaks the memory isolation between different applications, and allows an application to force another application to access arbitrary portions of its memory. Spectre affects a wide range of processors: Intel, AMD, and ARM.

“Both of these vulnerabilities are hardware level vulnerabilities that exist because of a flaw in CPU architecture. They are very serious vulnerabilities because they are operating system and software independent. The long term fix for both of these issues will require that CPU makers change the way their chips work, which means redesigning and releasing new chips.” – Defiant

You can find more information on both vulnerabilities on spectreattack.com. For comprehensive technical details, you can refer to these academic papers: Meltdown and Spectre.

VMSA-2018-0002 – ESXi, Workstation, Fusion

VMware released security advisory VMSA-2018-0002 in regards to Meltdown and Spectre vulnerabilities. The advisory only talks about Spectre, as per another blog article VMware products are not vulnerable to Meltdown. Result of exploitation may allow for information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host. Multiple VMware products are affected:

  • ESXi 5.5, 6.0, and 6.5 (install relevant patches: ESXi550-201709101-SG, ESXi600-201711101-SG, ESXi650-201712101-SG; ESXi 5.5 patch has remediation against CVE-2017-5715, but not against CVE-2017-5753)
  • Workstation 12.x (update to 12.5.8)
  • Fusion 8.x (update to 8.5.9)

I find it interesting that all the workloads in VMware Cloud on AWS are already protected since December 2017. Sometimes feels good to have somebody else handling the patching for you!

Other vendors

Many other vendors released security advisories, check the ones relevant to your environment:

In case of Intel, there is another negative story development in the news cycle: Intel CEO is under fire for selling $39 million in stock.

Nicole Perlroth (cybersecurity reporter at New York Times) wrote a cool Twitter thread on Spectre/Meltdown vulnerabilities (click and read the whole thread):

Happy patching as this is not the greatest start for 2018 🙁

You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.

Update 1 – 5 January 2017

SANS and Rendition Infosec hosted a webinar held by Jake Williams (GSE #150, SANS analyst, SANS instructor). You can see the webinar in the below YouTube video and you can download the slide deck here.

Some other organizations published customer recommendations on Meltdown/Spectre:

Update 2 – 6 January 2017

As BIOS/firmware updates are also required, here are some hardware vendors advisories:

Update 3 – 6 January 2017

Some more information is available via a William Lam’s tweet: there is a new KB52264 published by VMware stating that some appliances may be affected (more information to follow), while listing the unaffected appliances (VMware NSX for vSphere, VMware Unified Access Gateway, VMware vCenter Server 5.5, VMware vRealize Log Insight, VMware vRealize Operations, VMware vRealize Orchestrator).

“vSECR has evaluated these products and determined that under supported configurations they are not affected because there is no available path to execute arbitrary code without administrative privileges. This assumes that the underlying hypervisor(s) have been patched to remediate CVE-2017-5753, and CVE-2017-5715.” – VMware KB52264

William also mentions work-in-progress patches for ESXi 5.5 (CVE-2017-5753) and for vCenter to deliver Microcode update for Enhanced vMotion Compatibility (EVC).

How to patch your vCenter / ESXi infrastructure against speculative execution vulnerabilities (Meltdown and Spectre). Products, versions, patches, order of upgrade, dependencies, warnings. VMware Patches for Spectre

Constantin Ghioc

I usually play with vSphere API, Ansible, vRealize Automation, vRealize Orchestrator, and different AWS tools. In my other life I’m a husband and a father, an amateur photographer and a Go enthusiast.

11 thoughts to “VMware Security Advisory VMSA-2018-0002 – Meltdown and Spectre Vulnerabilities”

  1. According to Vmware, all of the necessary patches are not released yet to protect a guest OS against this vulnerability.

    Update 01/04/18: OS vendors have begun issuing patches that address CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 for their operating systems. For these patches to be fully functional in a guest OS additional ESXi and vCenter Server updates will be required.

    https://blogs.vmware.com/security/2018/01/vmsa-2018-0002.html

  2. VMware’s claims that “[Meltdown] does not affect ESXi because … ESXi does not run untrusted user mode code.”

    That is totally bogus. ESXi runs plenty of user-mode code, some from VMware and some from third parties. ESXi also has plenty of its own vulnerabilities. Heck, ESXi can be told to run a python script off an unencrypted datastore!

    What they really mean is that VMware judged the performance impact of the KPTI patch to be more of a concern than the risk of a malicious Meltdown attack.

    That’s a bad judgement, IMHO. There’s good reason Linux, Mac, Windows, Azure, and AWS have all patched their OS’s and hypervisors. VMware should follow suit, even if it lowers performance.

    1. If VMware guest can not get other guest-s memory, then it can be optional patch, as if someone do not trust OS user-s separation (I do not, for example), then patch has negative effect and is not required. Show any way, how some guest VM can use this issue to steal data from hypervisor or other guest, if they do not have their memory mapped into their address space… If they have, it is a bug and should be fixed.

      Real virtualization should mitigate such bugs in their core. As for now, the damage from numerous ‘security fixes’ start to overgrow any use of them. Yes, CPU has a big. Vmware provides guest separation,. Can separation be violated or not by this bug (not user separation inside VM, it is not interesting at all – but VM separation inside the host)? If not, then it is MAJOR but not CRITICAL for VMWare. if YES them it is CRITICAL.

  3. The ESXi 5.5 patch that you have linked to (ESXi550-201709101-SG) is not a complete solution for Spectre.

    From the VMware security-announce mailing list:
    “This patch has remediation against CVE-2017-5715 but not against CVE-2017-5753.”

Leave a Reply