August 2018 Intel Vulnerabilities L1 Terminal Fault – L1TF (CVE-2018-3646 / CVE-2018-3620 / CVE-2018-3615)
- Posted by rayphoon
- Posted on August 15, 2018
- Cisco, VMware
- 5 Comments.
Summary
Following the recent Spectre/Meltdown vulnerabilities from Intel, the latest wave of new found vulnerabilities disclosed by Intel on Tuesday, 14 August includes 3 new vulnerabilities affecting Intel Core and Xeon processors from at least 2009 – 2018. These new vulnerabilities are collectively known as “L1 Terminal Fault”.
Vulnerability Overview
Details for each vulnerability as provided by Intel:
CVE-2018-3615 – L1 Terminal Fault: SGX
Systems with microprocessors utilizing speculative execution and Intel® software guard extensions (Intel® SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.
CVE-2018-3620 – L1 Terminal Fault: OS/SMM
Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.
CVE-2018-3646 – L1 Terminal Fault: VMM
Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.
The most severe of the three vulnerabilities (CVE-2018-3646: L1 Terminal Fault – VMM) impacts all hypervisors which includes VMware vSphere and Microsoft Hyper-V. Public cloud providers are also affected which includes VMware Cloud on AWS, VMware Horizon Cloud and Microsoft Azure.
It may allow a malicious VM running on a given CPU core to effectively infer contents of the hypervisor’s or another VM’s privileged information residing at the same time in the same core’s L1 Data cache. Because current Intel processors share the physically-addressed L1 Data Cache across both logical processors of a Hyperthreading (HT) enabled core, indiscriminate simultaneous scheduling of software threads on both logical processors creates the potential for further information leakage.
An attacker who can run arbitrary code on one virtual machine may be able to access information from another virtual machine or from the virtualization host itself. Workloads such as Windows Server Remote Desktop Services (RDS) and more dedicated workloads such as Active Directory domain controllers are also at risk. Attackers who can run arbitrary code (regardless of its level of privilege) may be able to access operating system or workload secrets such as encryption keys, passwords, and other sensitive data.
More information on the list of affected Intel processors can be obtained from Intel’s website at https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
Microsoft advisories:
- Microsoft General Guidance against L1TF – https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv180018
- Windows Server – https://support.microsoft.com/en-au/help/4457951/windows-server-guidance-to-protect-against-l1-terminal-fault
- Windows 7 and Windows Server 2008 R2 – August 2018 Monthly rollup includes protections against CVE-2018-3646 and CVE-2018-3620. https://support.microsoft.com/en-au/help/4343900/windows-7-update-kb4343900
- Azure – Microsoft has deployed mitigations across all our cloud services. The infrastructure that runs Azure and isolates customer workloads from each other is protected. This means that a potential attacker using the same infrastructure can’t attack your application using these vulnerabilities. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/mitigate-se
VMware advisories:
- As mentioned in VMware KB 55636, the only applicable mitigation for VMware vSphere products is for CVE-2018-3646.
- The mitigation of the Sequential-Context attack vector is achieved by vSphere updates and patches mentioned in VMSA-2018-0020.
- The mitigation of the Concurrent-context attack vector requires enablement of a new feature known as the “ESXi Side-Channel-Aware Scheduler“. The initial version of this feature will only schedule the hypervisor and VMs on one logical processor of an Intel Hyperthreading-enabled core. This feature may impose a non-trivial performance impact and is not enabled by default.
- Enabling “ESXi Side-Channel-Aware Scheduler” requires setting the ESXi advanced host setting VMkernel.Boot.hyperthreadingMitigation to “True” and then rebooting the host. NOTE: This advanced option is made available after the host is patched as per patches in VMSA-2018-0020 mentioned above.
- IMPORTANT: Refer to VMware KB 55767 on the potential performance impact after is ESXi Side-Channel-Aware Scheduler enabled.
RedHat advisories:
Hardware vendor mitigations:
Cisco:
- Cisco is in the process of evaluating its products. Firmware required for servers have been updated. Latest list of affected and unaffected products can be found at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180814-cpusidechannel
HPE:
- HPE has released updated ROMs with mitigations. The list of ROM version which includes the mitigations can be found at the following HPE website: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00053708en_us.
Dell:
- Dell has released updated BIOS with mitigations. The list of BIOS with updates can be found at the following Dell website: https://www.dell.com/support/article/au/en/audhs1/sln309851/microprocessor-side-channel-vulnerabilities-cve-2018-3639-and-cve-2018-3640-impact-on-dell-emc-poweredge-servers-storage-sc-series-ps-series-and-powervault-md-series-and-networking-products?lang=en
5 Responsesso far.
Leave a Reply Cancel reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Somebody necessarily assist to make critically articles I would state. That is the very first time I frequented your website page and up to now? I amazed with the analysis you made to create this actual submit amazing. Great process!
I’m now not sure where you are getting your info, however great topic.
I needs to spend a while studying much more or working out more.
Thank you for fantastic information I was searching for this info for
my mission.
Appreciate the recommendation. Let me try it out.
Woah! I’m really loving the template/theme of this site.
It’s simple, yet effective. A lot of times it’s difficult to get that “perfect balance” between user friendliness and visual appeal.
I must say that you’ve done a fantastic job with this. Also, the blog loads extremely quick
for me on Chrome. Superb Blog!
Thanks for sharing your thoughts on cve-2018-3615.
Regards