• Security scanning tools may report CPU security vulnerabilities such as Transient Scheduler, Transient Execution and Side-Channel attacks on some Virtual Machines (VMs).
• When running commands such as the following on a Linux VM, it is observed that a VM is reported as affected\vulnerable for vulnerabilities such as Spectre, Spec rstack overflow, Spec store bypass etc ....
  • lscpu | grep -i vulnerability
• But the results of these vulnerability tests are not consistent across VMs of the same build. For example, the same guest operating system version shows as "vulnerable" on VMs using Hardware Version 19, but "not vulnerable" on VMs using Hardware Version 21, even when running on the same ESXi host.

VMware vSphere ESXi

• Newer virtual hardware versions expose advanced virtual hardware and CPU features to the guest OS, including CPU-level security features. While the physical CPU microcode may contain the mitigation, the VM must be at a hardware version that supports exposing those features to the guest OS.
• The current guidance on updating the VM Hardware versions in relation to security can be found in the vSphere Configuration Hardening Guide. The following are the most pertinent points from the version 9.0 guide, but please note this can change so it is important to refer to the latest version of the guide for your current version of vSphere:
  
  • There are varying opinions within the greater VMware community about upgrading virtual machine hardware versions. Newer virtual machine hardware versions introduce new feature and guest OS support, better compatibility and performance with CPU vulnerability mitigations, better support for modern CPU security features, better security defaults, and so on.
  • Upgrading virtual machine hardware changes the virtual hardware presented to the guest operating system, just as if a boot device in a physical server was placed in a newer physical server. Changes like this can vary in risk, may require more than one reboot, and may require human interaction to complete. 
  • In general, Broadcom guidance is to:
    • Run the latest version you are able, ideally the latest version available in the major vSphere version you run.
    • Use VM Hardware 14 (vmx-14) or newer. Version 13 introduces important performance and security improvements for CPU vulnerability mitigations, and version 14 introduces support for vTPM.
    • Take snapshots of virtual machines prior to upgrading, but do not forget to remove the snapshot later.

• Update the Virtual Machine hardware to the latest version supported by your ESXi host, if there is a requirement to ensure all available CPU security features are exposed to the guest OS.
• It is important to thoroughly read and understand the following KBs before proceeding with the VM Hardware version upgrade:
  https://knowledge.broadcom.com/external/article/315390/upgrading-a-virtual-machine-to-the-lates.html 
  https://knowledge.broadcom.com/external/article/315655/virtual-machine-hardware-versions.html 

Important Notes:

• Updating the HW version makes the CPU security features available, but the guest OS must still be configured to utilize them.
• Before upgrading the virtual hardware version of a virtual machine, create a snapshot or backup of the virtual machine in case there are issues post-upgrade.
• Refer to the vSphere Configuration Hardening Guide for official guidance for your current version of vSphere.

Repository for all VCF product security and compliance guides