August 2018 Intel Vulnerabilities L1 Terminal Fault – L1TF (CVE-2018-3646 / CVE-2018-3620 / CVE-2018-3615)

Summary

Following the recent Spectre/Meltdown vulnerabilities from Intel, the latest wave of new found vulnerabilities disclosed by Intel on Tuesday, 14 August includes 3 new vulnerabilities affecting Intel Core and Xeon processors from at least 2009 – 2018. These new vulnerabilities are collectively known as “L1 Terminal Fault”.

Vulnerability Overview

Details for each vulnerability as provided by Intel:

CVE-2018-3615 – L1 Terminal Fault: SGX
Systems with microprocessors utilizing speculative execution and Intel® software guard extensions (Intel® SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.

CVE-2018-3620 – L1 Terminal Fault: OS/SMM
Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.

CVE-2018-3646 – L1 Terminal Fault: VMM
Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.

The most severe of the three vulnerabilities (CVE-2018-3646: L1 Terminal Fault – VMM) impacts all hypervisors which includes VMware vSphere and Microsoft Hyper-V. Public cloud providers are also affected which includes VMware Cloud on AWS, VMware Horizon Cloud and Microsoft Azure.

It may allow a malicious VM running on a given CPU core to effectively infer contents of the hypervisor’s or another VM’s privileged information residing at the same time in the same core’s L1 Data cache. Because current Intel processors share the physically-addressed L1 Data Cache across both logical processors of a Hyperthreading (HT) enabled core, indiscriminate simultaneous scheduling of software threads on both logical processors creates the potential for further information leakage.

An attacker who can run arbitrary code on one virtual machine may be able to access information from another virtual machine or from the virtualization host itself. Workloads such as Windows Server Remote Desktop Services (RDS) and more dedicated workloads such as Active Directory domain controllers are also at risk. Attackers who can run arbitrary code (regardless of its level of privilege) may be able to access operating system or workload secrets such as encryption keys, passwords, and other sensitive data.

More information on the list of affected Intel processors can be obtained from Intel’s website at https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

Migitation Categories

To assist in understanding Speculative Execution vulnerabilities, VMware previously defined the following categories in KB52245 and KB54951 – here is a brief summary of these four categories:

  • Hypervisor-Specific Mitigations prevent information leakage from the hypervisor or guest VMs into a malicious guest VM. These mitigations require code changes for VMware products.
  • Hypervisor-Assisted Guest Mitigations virtualize new speculative-execution hardware control mechanisms for guest VMs so that Guest OSes can mitigate leakage between processes within the VM. These mitigations require code changes for VMware products.
  • Operating System-Specific Mitigations are applied to guest operating systems. These updates will be provided by a 3rd party vendor or in the case of VMware virtual appliances, by VMware.
  • Microcode Mitigations are applied to a system’s processor(s) by a microcode update from the hardware vendor. These mitigations do not require hypervisor or guest operating system updates to be effective.

The following is a summary of mitigation categories for each vulnerability.

  • CVE-2018-3646 (L1 Terminal Fault – VMM) – Microcode Mitigations* + Hypervisor-Specific Mitigations + Operating System-Specific Mitigations
  • CVE-2018-3620 (L1 Terminal Fault – OS) – Microcode Mitigations* + Operating System-Specific Mitigations

NOTE: These microcode mitigations are the same as those released by most hardware vendors for vulnerabilities CVE-2018-3639 and CVE-2018-3640.

Software vendor mitigations

Microsoft advisories:

VMware advisories:

  • As mentioned in VMware KB 55636, the only applicable mitigation for VMware vSphere products is for CVE-2018-3646.
  • The mitigation of the Sequential-Context attack vector is achieved by vSphere updates and patches mentioned in VMSA-2018-0020.
  • The mitigation of the Concurrent-context attack vector requires enablement of a new feature known as the “ESXi Side-Channel-Aware Scheduler“. The initial version of this feature will only schedule the hypervisor and VMs on one logical processor of an Intel Hyperthreading-enabled core. This feature may impose a non-trivial performance impact and is not enabled by default.
  • Enabling “ESXi Side-Channel-Aware Scheduler” requires setting the ESXi advanced host setting VMkernel.Boot.hyperthreadingMitigation to “True” and then rebooting the host. NOTE: This advanced option is made available after the host is patched as per patches in VMSA-2018-0020 mentioned above.
  • IMPORTANT: Refer to VMware KB 55767 on the potential performance impact after is ESXi Side-Channel-Aware Scheduler enabled.

RedHat advisories:

Hardware vendor mitigations:

Cisco:

HPE:

Dell:

 

One Responseso far.

  1. Emilio Scarr says:

    Somebody necessarily assist to make critically articles I would state. That is the very first time I frequented your website page and up to now? I amazed with the analysis you made to create this actual submit amazing. Great process!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.