This host is potentially vulnerable to issues described in CVE-2018-3646 – Solved

Spread The Knowledge

“This host is potentially vulnerable to issues described in CVE-2018-3646, please refer to https://kb.vmware.com/s/article/55636 for details and VMware recommendations.” This is also called L1 Terminal Fault. Today we will talk about this warning message and a possible solution that fixes it.

CVE-2018-3646 (L1 Terminal Fault – VMM)

It is a security issue related to speculative execution in Intel processors described by CVE-2018-3646 (L1 Terminal Fault – VMM). The mitigation of CVE-2018-3646 requires Hypervisor-Specific Mitigations for hosts running on Intel hardware.

Intel has disclosed details on a new class of CPU speculative-execution vulnerabilities known collectively as “L1 Terminal Fault” that can occur on past and current Intel processors (from at least 2009 – 2018).

The “L1 Terminal Fault” vulnerability can occur when affected Intel microprocessors speculate beyond an unpermitted data access. By continuing the speculation in these cases, the affected Intel microprocessors expose a new side-channel for the attack. To know more information about it, please visit the KB Article KB55806.

This issue was notified by VMware on VMware Security Advisories (VMSA-2018-0020) on 2018-08-14.

CVE-2018-3646 has two currently known attack vectors which will be referred to as “Sequential-Context” and “Concurrent-Context.”

Attack Vector Summary

  • Sequential-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core.
  • Concurrent-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the Hyper-Threading enabled processor core

Mitigations

VMware has provided Hypervisor-Specific Mitigations for CVE-2018-3646. Point to be noted that AMD processors are not affected only Intel’s are affected.

  • The Sequential-context attack vector is mitigated by a vSphere update to the latest product versions.
  • The Concurrent-context attack vector is mitigated through the enablement of a new feature known as the ESXi Side-Channel-Aware Scheduler. This feature may impose a non-trivial performance impact and is not enabled by default.

Enabling the ESXi Side-Channel-Aware Scheduler using the vSphere Web Client

  1. Connect to the vCenter Server using either the vSphere Web or vSphere Client.
  2. Select an ESXi host in the inventory.
  3. Click the Configure tab.
  4. Under the System heading, click Advanced System Settings.
  5. Click Edit
  6. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigation
  7. Select the setting by name
  8. Change the configuration option to true (default: false).
  9. Click in the Filter box and search VMkernel.Boot.hyperthreadingMitigationIntraVM
  10. Change the configuration option to false (default: true).
  11. Click OK.
  12. Reboot the ESXi host for the configuration change to go into effect.

Enabling the ESXi Side-Channel-Aware Scheduler Version 2 using ESXi Embedded Host Client

  1. Connect to the ESXi host by opening a web browser to https://HOSTFQDN or IP.
  2. Click Manage under host navigator
  3. Click the Advanced settings tab
  4. Use the search box to find VMkernel.Boot.hyperthreadingMitigation
  5. Select the VMkernel.Boot.hyperthreadingMitigation setting and click the Edit Option
  6. Change the configuration option to true (default: false)
  7. Click Save.
  8. Use the search box to find VMkernel.Boot.hyperthreadingMitigationIntraVM
  9. Select the VMkernel.Boot.hyperthreadingMitigationIntraVM setting and click the Edit Option
  10. Change the configuration option to false (default: true).
  11. Click Save.
  12. Reboot the ESXi host for the configuration change to go into effect.

Enable ESXi Side-Channel-Aware Scheduler Version 2 (SCAv2) using ESXCLI or Commandline

  1. SSH to an ESXi host.
  2. Check the current runtime values by running esxcli system settings kernel list -o hyperthreadingMitigation and esxcli system settings kernel list -o hyperthreadingMitigationIntraVM
  3. To enable the ESXi Side-Channel-Aware Scheduler Version 1 run these commands:
  4. esxcli system settings kernel set -s hyperthreadingMitigation -v TRUE
  5. esxcli system settings kernel set -s hyperthreadingMitigationIntraVM -v FALSE
  6. Reboot the ESXi host for the configuration change to go into effect.

This will resolve the current issue on the ESXi of “This host is potentially vulnerable to issues described in CVE-2018-3646”.



Source: KB55636

You’ll Also Like


Spread The Knowledge

Leave a Comment