Understanding L1 Terminal Fault Mitigation

Posted by Paul Braren on Aug 15 2018 (updated on Aug 20 2018) in
  • ESXi
  • Virtualization
  • Security
  • This article is a summary of a newly disclosed CPU vulnerability. It's a little like Spectre and Meltdown, but it's also quite different, as is the PowerShell based remediation for VMware Hypervisor. I tried to summarize the explainer articles and videos in my series of my tweets from @paulbraren today. Getting things described in just a few words isn't exactly easy for me, so I went with several tweets. I'm certainly no expert on this topics, but I did find it interesting how well orchestrated yesterday's reveal of this new set of vulnerabilities was, across the industry. This article is just a starting point in seeking a fuller understanding of what these new CPU vulnerabilities will mean to IT Professionals, especially in a shared hosting/cloud environment. I hope you find this information helpful!


    Aug 20 2018 Update

    L1TF [AKA Foreshadow] Explained in 3 Minutes from Red Hat

    Screenshots

    VMware's latest ESXi Build 9484548 Host Client view clearly discloses the potential issue to the sysadmin at first login, right after patching:

    2018-08-15_23-12-59

    This host is potentially vulnerable to issues described in CVE-2018-3646, please refer to https://kb.vmware.com/s/article/55636 for details and VMware recommendations.


    Video

    Understanding L1 Terminal Fault [L1TF]

    Intel Newsroom YouTube Channel video description:

    Intel Newsroom
    Published on Aug 14, 2018
    Learn more about the speculative execution side-channel method called L1 Terminal Fault (L1TF). There are three applications of L1TF speculative execution side-channel cache timing vulnerabilities. They are similar to previously reported variants. These particular methods target access to the L1 data cache, a small pool of memory within each processor core designed to store information about what the processor core is most likely to do next.

    Microcode updates released by Intel are an important component of the mitigation strategy for all three applications of L1TF. When coupled with corresponding updates to operating system and hypervisor software from industry partners and the open source community, these updates help ensure that consumers, IT professionals and cloud service providers have access to the protections they need.

    Learn more about L1TF at https://newsroom.intel.com/editorials/protecting-our-customers-through-lifecycle-security-threats/


    See also at TinkerTry

    easy-update-to-latest-esxi

    meltdown-and-spectre-info