Reading Time: 4 minutes

The 2018 was the year of the CPU related threats, starting with the Meltdown and Spectre bugs affecting several processors, but with most of issues related to Intel based CPU.

Unfortunately, this was only the beginning and many other bugs were discovered later. And we’re probably just at the tip of the iceberg.

New Meltdown and Spectre variants have been discovered, as also other type of bugs, like, for example, L1 Terminal Fault aka Foreshadow.

The main problem, is that those bugs are, in most case, difficult to fix, and may have several performance impact. Also, redesign a CPU architecture is not so easy and take (a lot of) time… most of the CPU that we are using today have been designed some years ago…

Now there are again new type of speculative execution issues, with the Microarchitectural Data Sampling (MDS) vulnerabilities, a set of weaknesses in Intel x86 microprocessors that leak data across protection boundaries that are architecturally supposed to be secure.

Actually seems a bug affecting (still) only Intel’s CPUs with a very huge list of affected processors. Instead, AMD just says:

Based on our analysis and discussions with the researchers, we believe our products are not susceptible to ‘Fallout’, ‘RIDL’ or ‘ZombieLoad Attack’ because of the hardware protection checks in our architecture.

On affected Intel CPU, there is the possibility of reading data buffers found between different parts of the processor and there are these possible attacks:

  • Fallout (CVE-2018-12126) — a leak of data being stored from store buffers
  • RIDL (CVE-2018-12127, CVE-2018-12130 and CVE-2019-11091) — a leak from various internal processor buffers of data being loaded and stored
  • ZombieLoad (CVE-2018-12130) — a leak of already-loaded data from a processor’s fill buffer

As usually the fixes are not only at hardware level (microcode update), but usually at operating systems, virtualization level, applications (like web browsers), …

For the microcode, Intel fixes in its processors starting shortly before the public announcement of the vulnerabilities. But all the hardware vendors need to include the update in their BIOS and firmware. For example, for Dell EMC PowerEdge server, see this link: Dell EMC Server Security Notice for Intel-SA-00233.

For the operating systems, on 14 May 2019, a mitigation was released for the Linux kernel, and Apple, Google, Microsoft, and Amazon released emergency patches for their products to mitigate ZombieLoad.

For the different hypervisors, each vendor has to release the proper function to support the remediation at this level.

For example, VMware has realize this Security Advisories:

  • 2019-05-14 – Microarchitectural Data Sampling (MDS) – VMSA-2019-0008

The solution from VMware is very similar to the one for L1 Terminal Fault (L1TF), with a new ESXi Side-Channel-Aware (SCA) Scheduler. Note that also vSphere 5.5 is still supported.

Note that there are two different versions of the ESXi SCA scheduler and recent versions of ESXi have the new SCA v2:

  • ESXi 6.7u2 (13006603) and future release lines of ESXi include the ESXi Side-Channel-Aware Scheduler v2
  • Prior release lines such as 6.5, 6.0, and 5.5 cannot accommodate this new scheduler.  

VMware has published a white paper entitled Performance of vSphere 6.7 Scheduling Options which provides a more detailed look into the performance differences between SCAv1 and SCAv2.

For more information see also:

Share

Related Posts

  • BranchScope: a new vulnerability for Intel CPU

    Now that Meltdown and Spectre vulnerabilities are almost fixed, there is a new critical vulnerability for several Intel CPU called BranchScope, discovered by some researchers from four universities. It's again a speculative execution issue, in the method a processor uses to predict where its current…

  • Windows Server 2016 reboot after hot-adding CPU in vSphere 6.5

    Seeams that there is an issue in CPU hot-add on Windows Server 2016 running in VMware vSphere 6.5, but it's something hard to reproduce this issues on a different systems. Because on most systems it works correctly, but, at least in a case, the CPU…

  • Virtual CPU and Virtual Cores

    In a physical environment usually the term CPU is used to refer to the physical package (or socket). The real processing unit inside this package are called cores (and not that each core can have inside more ALU and can be seen as more logical…

Virtualization, Cloud and Storage Architect. Tech Field delegate. VMUG IT Co-Founder and board member. VMware VMTN Moderator and vExpert 2010-24. Dell TechCenter Rockstar 2014-15. Microsoft MVP 2014-16. Veeam Vanguard 2015-23. Nutanix NTC 2014-20. Several certifications including: VCDX-DCV, VCP-DCV/DT/Cloud, VCAP-DCA/DCD/CIA/CID/DTA/DTD, MCSA, MCSE, MCITP, CCA, NPP.