This article is a summary of a newly disclosed CPU vulnerability. It's a little like Spectre and Meltdown, but it's also quite different, as is the PowerShell based remediation for VMware Hypervisor. I tried to summarize the explainer articles and videos in my series of my tweets from @paulbraren today. Getting things described in just a few words isn't exactly easy for me, so I went with several tweets. I'm certainly no expert on this topics, but I did find it interesting how well orchestrated yesterday's reveal of this new set of vulnerabilities was, across the industry. This article is just a starting point in seeking a fuller understanding of what these new CPU vulnerabilities will mean to IT Professionals, especially in a shared hosting/cloud environment. I hope you find this information helpful!
Explanatory video https://t.co/X1jA9LTaLV from @intel at https://t.co/hMKS16mAXx L1 Terminal Fault (L1TF) vulnerability affects multi-tenant environments running hypervisors, ESXi Build 9484548 is a part of mitigation, seen in screenshot https://t.co/RJcuKqysUC @roberthurlbut pic.twitter.com/Ik4V2WiU8R— Paul Braren (@paulbraren) August 15, 2018
A lot of detail about @VMware’s response at https://t.co/sCQ7qQfBD0 including Mitigation of the Sequential-Context and Concurrent-Context attack vectors. See also enabling the ESXi Side-Channel-Aware Scheduler at HTAware Mitigation Tool Overview and Usage https://t.co/rgb2dTmBpR pic.twitter.com/5iiv4YW712— Paul Braren (@paulbraren) August 16, 2018
Very helpful explanatory video https://t.co/t9IC4eKx5g— Paul Braren (@paulbraren) August 20, 2018
VMware's latest ESXi Build 9484548 Host Client view clearly discloses the potential issue to the sysadmin at first login, right after patching:
This host is potentially vulnerable to issues described in CVE-2018-3646, please refer to https://kb.vmware.com/s/article/55636 for details and VMware recommendations.
Intel Newsroom YouTube Channel video description:
Published on Aug 14, 2018
Learn more about the speculative execution side-channel method called L1 Terminal Fault (L1TF). There are three applications of L1TF speculative execution side-channel cache timing vulnerabilities. They are similar to previously reported variants. These particular methods target access to the L1 data cache, a small pool of memory within each processor core designed to store information about what the processor core is most likely to do next.
Microcode updates released by Intel are an important component of the mitigation strategy for all three applications of L1TF. When coupled with corresponding updates to operating system and hypervisor software from industry partners and the open source community, these updates help ensure that consumers, IT professionals and cloud service providers have access to the protections they need.
Learn more about L1TF at https://newsroom.intel.com/editorials/protecting-our-customers-through-lifecycle-security-threats/
- How to easily update your VMware ESXi Hypervisor to the latest version with one ESXCLI command
Aug 14 2018
- Meltdown and Spectre side-channel attack risk mitigation information from processor, server, and software vendors
Jan 10 2018