This post is also available in: Italian

Reading Time: 4 minutes

This is the year of the security threats originated by hardware level bugs. The year has begun with the Spectre and Metldown bug with several months of possible solutions, new BIOS, new patches… and new variants of those bugs (like Spectre V4 and V5).

But we are far from the solution because other bugs came out. And more will come out… All the software used at the microprocessor level and all the optimizations will probably be a good vector for new attack patterns. As already written, we are still far from the solution.

The last in this family is L1 Terminal Fault (aka Foreshadow) another speculative execution side channel attack. The related references are:

CVE-2018-3615 L1 Terminal Fault SGX related aspects
CVE-2018-3620 L1 Terminal Fault OS, SMM related aspects
CVE-2018-3646 L1 Terminal Fault Virtualization related aspects

It’s a hardware vulnerability which allows unprivileged speculative access to data which is available in the Level 1 Data Cache when the page table entry controlling the virtual address, which is used for the access, has the Present bit cleared or other reserved bits set.

One of the best posts is the one from RedHat with several details and a good explanation of this bug.

For a more detailed technical view of L1 Terminal Fault, please see this deeper dive with Jon Masters.

Of course, this is dangerous in a multi-tasking environment, but can become more and more dangerous in a virtualized (or container based) environment or in worst in a public cloud environment!

This vulnerability affects a wide range of Intel-only processors (Intel Core processors and Intel Xeon processors only). The vulnerability is not present on:

  • Processors from AMD, Centaur and other non Intel vendors
  • Older processor models, where the CPU family is < 6
  • A range of Intel ATOM processors (Cedarview, Cloverview, Lincroft, Penwell, Pineview, Silvermont, Airmont, Merrifield)
  • The Intel XEON PHI family
  • Intel processors which have the ARCH_CAP_RDCL_NO bit set in the IA32_ARCH_CAPABILITIES MSR. If the bit is set the CPU is not affected by the Meltdown vulnerability either. These CPUs should become available by end of 2018.

And now?

It’s again patching time… But patching will be (as usual only the first step).

Depending on your environment you have to mitigate or remediate the vulnerability (if existing) in a different way. And, of course, first, detect if your environment is affected.

Linux kernels

Recent Linux kernel include a pseudo-file useful to check your environment: /sys/devices/system/cpu/vulnerabilities/l1tf

The possible values in this file are:

‘Not affected’ The processor is not vulnerable
‘Mitigation: PTE Inversion’ The host protection is active

For example:

[[email protected] ~]# cat /sys/devices/system/cpu/vulnerabilities/l1tf
Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled

Microsoft Windows

There is a document that describes the entire flow.

Figure 1 Short mitigation descriptions

VMware

VMware has released different new patches for VMware vSphere, Workstation, Player and Fusion ad described in this document: VMSA-2018-0020

VMware Product Product Version Running On Severity Replace_with/Apply_Patch
VC 6.7 Any Important 6.7.0d
VC 6.5 Any Important 6.5u2c
VC 6.0 Any Important 6.0u3h
VC 5.5 Any Important 5.5u3j
ESXi 6.7 Any Important ESXi670-201808401-BG*
ESXi670-201808402-BG**
ESXi670-201808403-BG*
ESXi 6.5 Any Important ESXi650-201808401-BG*
ESXi650-201808402-BG**
ESXi650-201808403-BG*
ESXi 6.0 Any Important ESXi600-201808401-BG*
ESXi600-201808402-BG**
ESXi600-201808403-BG*
ESXi 5.5 Any Important ESXi550-201808401-BG*
ESXi550-201808402-BG**
ESXi550-201808403-BG*
WS 14.x Any Important 14.1.3*
Fusion 10.x Any Important 10.1.3*

*These patches DO NOT mitigate the Concurrent-context attack vector previously described by default. For details on the three-phase vSphere mitigation process please see KB55806and for the mitigation process for Workstation and Fusion please see KB57138.

**These patches include microcode updates required for mitigation of the Sequential-context attack vector. This microcode may also be obtained from your hardware OEM in the form of a BIOS or firmware update. Details on microcode that has been provided by Intel and packaged by VMware is enumerated in the patch KBs found in the Solution section of this document.

Of course, vSphere versions previous v5.5 are no more supported and there is no solution for them. And also vSphere 5.5 will go out of support soon!

Andrea MauroAbout Andrea Mauro (2908 Posts)

Virtualization, Cloud and Storage Architect. Tech Field delegate. VMUG IT Co-Founder and board member. VMware VMTN Moderator and vExpert 2010-18. Dell TechCenter Rockstar 2014-15. Microsoft MVP 2014-16. Veeam Vanguard 2015-18. Nutanix NTC 2014-18. PernixPro 2014-16. Several certifications including: VCDX-DCV, VCP-DCV/DT/Cloud, VCAP-DCA/DCD/CIA/CID/DTA/DTD, MCSA, MCSE, MCITP, CCA, NPP.


Share