Mitigation of the Sequential-attack-vectorMitigation of the
Sequential-attack-vector is done by deploying VMware Workstation Pro and Player 15.1.0 or greater, and VMware Fusion or Fusion Pro 11.1.0 or greater, as listed in VMSA-2019-0008. This mitigation is enabled by default and poses a minimal performance impact (refer to
KB55767 for performance data).
Mitigation of the Concurrent-attack-vector Mitigation of the
Concurrent-attack-vector requires disabling Hyper-Threading Technology (HT) CPU features.
Disabling Hyper-Threading may have a measurable performance impact on your application. For this reason, before disabling HT, it is important to review your host capacity to confirm whether or not your host will have sufficient resources (i.e. host CPU cores) to run the desired VMs
after disabling HT.
Disabling Hyper-Threading on systems running VMware WorkstationDisabling Hyper-Threading on a Windows or Linux host running VMware Workstation requires configuration changes at the system BIOS/EFI level. Refer to your motherboard / system hardware manufacturer’s guidance on how to disable this option from your BIOS/EFI firmware utility.
Disabling Hyper-Threading on Macs running VMware Fusion For macOS Hosts running VMware Fusion, VMware has developed and provided a utility to disable Hyper-Threading. This utility, which includes usage instructions, has been attached to this Knowledge Base article. This utility is for macOS only and does not run on Windows or Linux systems.
MD5 checksum of the downloadable archive: 2d65192600b90ebbf5e01b8e0bf5832d
SHA1 checksum of the downloadable archive: f7e69d70de079e98c670303678f6ac0c9f1227ae
Note: If you choose not to disable HT, the Concurrent attack vector will not be mitigated.
Some systems do not allow for HT to be disabled. If HT cannot be disabled in BIOS or the hosted OS of the processor platform, then the Concurrent attack vector cannot be mitigated and a malicious VM may be able to infer secrets of another VM or the host OS using
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646. This case cannot be mitigated by a hypervisor running in a hosted OS environment, regardless of patch level. The only solution in this case that ensures complete mitigation is to run sensitive VMs on other processor platforms where HT is disabled. Customers that choose to continue running VMs on processor platforms where HT cannot be disabled should be aware that MDS is not completely mitigated.
Users should therefore analyze their performance and security requirements, and the trust level of the virtual machines running on their hosts, to determine the appropriate mitigation response to MDS