How to mitigate the Zombieload vulnerability in Enterprise PKS
search cancel

How to mitigate the Zombieload vulnerability in Enterprise PKS

book

Article ID: 316785

calendar_today

Updated On:

Products

VMware Cloud PKS

Issue/Introduction


This article provides instructions for mitigating the Zombieload vulnerability on Enterprise PKS, an attack identified in the following CVEs:
  • CVE-2018-12126 is a flaw that could lead to information disclosure from the processor store buffer.
  • CVE-2018-12127 is an exploit of the microprocessor load operations that can provide data to an attacker about CPU registers and operations in the CPU pipeline.
  • CVE-2018-12130 is the most serious of the three issues, involved the implementation of the microprocessor fill buffers, and can expose data within that buffer.
  • CVE-2019-11091 is a flaw in the implementation of the "fill buffer," a mechanism used by modern CPUs when a cache-miss is made on L1 CPU cache.
 


Environment

VMware PKS 1.x

Cause

The ZombieLoad attack allows malicious parties access to sensitive data and keys while a computer system performs non-crucial maintenance tasks.

The following is taken from https://zombieloadattack.com/ :
 
“While programs normally only see their own data, a malicious program [such as Zombieload] can exploit the fill buffers to get hold of secrets currently processed by other running programs. These secrets can be user-level secrets, such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys.”

Resolution

Enterprise PKS 1.4.1 is compiled against stemcell version 250.25. However, this stemcell version was released before the Zombieload CVE was made public. To mitigate the Zombieload CVE, you must upgrade to stemcell version 250.48.  

Use the following instructions to upgrade to stemcell version 250.48:
  1. In Ops Manager, go to the Installation Dashboard.
  2. In the Stemcell Library, record the name and version of the stemcell for Enterprise PKS. In this case, it will be 250.48, and it won’t indicate it is missing since Enterprise PKS 1.4.1 was compiled against 250.25, but for future reference this is how you determine the minimum stemcell version.
  3. Log in to Pivotal Network .
  4. Search for “Stemcells for PCF (Ubuntu Xenial)".
  5. Select version 250.48 from the dropdown list.
  6. Download the stemcell for you IaaS platform; for example, if you are running Enterprise PKS on vSphere, you would download the “Ubuntu Xenial Stemcell for vSphere 250.48”.
  7. In Ops Manager, return to the Installation Dashboard.
  8. Click Import Stemcell, navigate to the stemcell you downloaded, and click Open to import the stemcell.
  9. At the Installation Dashboard, click Review Pending Changes.
  10. Click Apply Changes to update the PKS tile with the new stemcell.


Powered by Wolken Software