VMware Response to Speculative Execution security issues, CVE-2018-3639 and CVE-2018-3640
search cancel

VMware Response to Speculative Execution security issues, CVE-2018-3639 and CVE-2018-3640

book

Article ID: 318668

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

The purpose of this article is to respond to the security issues related to speculative execution described by CVE-2018-3639 (Speculative Store Bypass) and CVE-2018-3640 (Rogue System Register Read) in modern-day processors as they apply to VMware. Because there will be multiple documents necessary to respond to these issues, consider this document as the centralized source of truth for these issues.

The Update History section of this document will be revised when there is a significant change to any of the related documentation. Sign up at our Security Advisories mailing list to receive new and updated VMware Security Advisories.

Background

To assist in understanding Speculative Execution vulnerabilities, VMware previously defined the following categories in KB317615 - review this knowledge base article for an explanation of these categories:

  • Hypervisor-Specific Mitigation
  • Hypervisor-Assisted Guest Mitigation
  • Operating System-Specific Mitigations

With the disclosure of CVE-2018-3640 a 4th category has been defined:

  • Microcode Mitigations

Microcode Mitigations are applied to a system’s processor(s) by a microcode update from the hardware vendor. These mitigations may not require hypervisor or guest operating system updates to be effective. Nonetheless, ESXi plans to include microcode updates that contain such mitigations when they become available, as a convenience to our customers.

Mitigation of CVE-2018-3639 and CVE-2018-3640

Mitigation of CVE-2018-3639 (Speculative Store Bypass) requires both Hypervisor-Assisted Guest Mitigations and Operating System-Specific Mitigations.

Mitigation of CVE-2018-3640 (Rogue System Register Read) requires Microcode Mitigations.

Note:

Based on current evaluations, we do not believe that CVE-2018-3639 or CVE-2018-3640 could allow for VM to VM or Hypervisor to VM Information disclosure. Thus, Hypervisor-Specific Mitigations are not required.

Environment

VMware vSphere ESXi 6.0
VMware vSphere ESXi 5.5
VMware vSphere ESXi 6.5

Resolution

CVE-2018-3639 (Speculative Store Bypass)

Hypervisor-Assisted Guest Mitigations

VMware updates that enable Hypervisor-Assisted Guest Mitigations for CVE-2018-3639 are documented in VMware Security Advisory VMSA-2018-0012.1. The required Intel microcode updates are documented in VMware Knowledge Base articles listed in the same advisory. The combination of updates and Intel microcode will expose the Speculative-Store-Bypass-Disable (SSBD) control bit to guest operating systems. Detailed instructions on enabling Hypervisor-Assisted Guest Mitigations for CVE-2018-3639 are found in VMware Knowledge base article KB317619.

Operating System-Specific Mitigations

VMware has investigated the impact that CVE-2018-3639 may have on VMware Virtual Appliances, and while investigations are ongoing we have not found any evidence that VMware Virtual Appliances are affected by this issue.

VMware recommends contacting your operating system vendor to determine whether or not SSBD is recommended. At the time of this article’s publication, multiple OS vendors have decided that SSBD will be disabled by default in their OSes as they have classified the overall risk of CVE-2018-3639 as low to moderate and the performance impact imposed will be non-trivial.

For supplemental information please see the following 3rd party OS documentation:

Redhat: Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639
Microsoft: ADV180012 | Microsoft Guidance for Speculative Store Bypass

CVE-2018-3640 (Rogue System Register Read)

Microcode Mitigations

CVE-2018-3640 is resolved by a microcode update and no code changes are required for any VMware products to mitigate CVE-2018-3640. ESXi patches documented in VMware Security Advisory VMSA-2018-0012.1 may include these microcode updates. Refer to the VMware Knowledge Base articles listed in this advisory for a list of included microcodes. Alternatively, you should also be able to obtain the microcode update for your CPU as part of a firmware/BIOS update from your hardware system vendor.

Note: If newer microcode is already present on your system because of a firmware/BIOS update, ESXi will not replace it with older microcode shipped as part of an ESXi patch/update.

For more information, please see Intel’s Security Center Advisory: INTEL-SA-00115

For the latest information on how mitigations for the aforementioned issues may affect performance, see KB315263.

Additional Information

Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.