VMware patches new Intel speculative execution microarchitectural data sampling MDS vulnerability

0

Perhaps the biggest security news of 2018 was the CPU flaws discovered with speculative execution vulnerabilities in Intel CPUs specifically and also AMD flaws discovered as well. Over a year later now we have news of a new speculative execution vulnerability discovered by security researchers. The new speculative execution vulnerability is known as Microarchitectural Data Sampling (MDS). This is a new very concerning security flaw announced by Intel and security researchers that details that an attacker can have access to any stream of data that the Intel CPU touches. VMware announced a new security advisory yesterday at the time of this writing detailing security patches to help mitigate this new concerning attack. In this post we will take a look at VMware patches new Intel speculative execution microarchitectural data sampling MDS vulnerability. Let’s take a closer look at what the MDS vulnerability is and the VMware specific patch implications.

What is the
Microarchitectural Data Sampling (MDS) Vulnerability?

In certain conditions, data that exists in microarchitectural structures may be speculatively accessed by faulting or assisting load or store operations that currently running software does not have permissions to access. Software may be able to send this speculatively accessed data to a side channel disclosure capturing mechanism that could allow malicious threat actors to infer data.

According to Intel, this exploit can occur on Intel microarchitecture prior to 2nd Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake). These issues may allow a malicious user who can locally execute code on a system to infer data otherwise protected by architectural mechanisms.

Microarchitecture Data Sampling involes the following:

Microarchitectural Store Buffer Data Sampling (MSBDS) CVE-2018-12126
Microarchitectural Fill Buffer Data Sampling (MFBDS) CVE-2018-12130
Microarchitectural Load Port Data Sampling (MLPDS) CVE-2018-12127
Microarchitectural Data Sampling Uncacheable Memory (MDSUM) CVE-2019-11091

VMware patches new Intel speculative execution microarchitectural data sampling MDS vulnerability

Relative to VMware products, VMware has identified the following products as being vulnerable to the new attack vector using MDS:

VMware-patches-new-Intel-speculative-execution-microarchitectural-data-sampling-MDS-vulnerability VMware patches new Intel speculative execution microarchitectural data sampling MDS vulnerability
VMware patches new Intel speculative execution microarchitectural data sampling MDS vulnerability

VMware has identified the following attack vectors with VMware products:

A malicious user must have local access to a virtual machine and the ability to execute code to infer data otherwise protected by architectural mechanisms from another virtual machine or the hypervisor itself via MDS vulnerabilities.

With operating system specific MDS vulnerabilities, a malicious user must have local access to a virtual machine and the ability to execute code to infer data otherwise protected by architectural mechanisms within the Guest Operating System (Intra-VM) via MDS vulnerabilities.

There are two known attack vector variants for MDS at the Hypervisor level:

  • Sequential-context attack vector (Inter-VM): a malicious VM can potentially infer recently accessed data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core.
  • Concurrent-context attack vector (Inter-VM): a malicious VM can potentially infer recently accessed data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the Hyper-Threading-enabled processor core.

VMware MDS Vulnerability Mitigations

What resolutions are available for the VMware products listed above?

  • The first resolution relates to the sequential-context attack vector for Inter-VM attack vector – The resolution is a hypervisor update to the latest version of the hypervisor that is noted in the table below. The Intel microcode updates need to be in place which can be implemented by previously released ESXi patches. It is noted there is not a significant performance impact.
  • The concurrent-context attack vector or Inter-VM exploit is enabled by the ESXi side-channel scheduler version 1 or version 2. It is noted there is not a significant performance impact due to the side-channel patch.

The following table is from VMware showing the fixed version of each VMware product with the appropriate mitigation implemented.

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
vCenter Server16.7AnyN/AN/AN/A6.7 U2aNoneKB67577
vCenter Server16.5AnyN/AN/AN/A6.5 U2gNoneKB67577
vCenter Server16.0AnyN/AN/AN/A6.0 U3iNoneKB67577
ESXi6.7AnyCVE-2018-12126
CVE-2018-12127
CVE-2018-12130
CVE-2019-11091
6.5ModerateESXi670-201905401-BG
ESXi670-201905402-BG2
ESXi670-201905403-BG
NoneKB67577
ESXi6.5AnyCVE-2018-12126
CVE-2018-12127
CVE-2018-12130
CVE-2019-11091
6.5ModerateESXi650-201905401-BG
ESXi650-201905402-BG2
NoneKB67577
ESXi6.0AnyCVE-2018-12126
CVE-2018-12127
CVE-2018-12130
CVE-2019-11091
6.5ModerateESXi600-201905401-BG
ESXi600-201905402-BG2
NoneKB67577
Workstation15.xAnyCVE-2018-12126
CVE-2018-12127
CVE-2018-12130
CVE-2019-11091
6.5Moderate15.1.0NoneKB68025
Fusion11.xAnyCVE-2018-12126
CVE-2018-12127
CVE-2018-12130
CVE-2019-11091
6.5Moderate11.1.0NoneKB68025

Wrapping Up

This is yet more fall out from the speculative execution vulnerabilities found in Intel processors. Looking at the news that VMware patches new Intel speculative execution microarchitectural data sampling MDS vulnerability, we can see this is yet another iteration of the design flaws from a security standpoint of Intel processors prior to Cascade Lake. Organizations will want to take a look at their current patch levels and implement the latest patches outlined in the VMware security advisory 2019-0008. No doubt there may be other advisories to come with new vulnerabilities as they are found and patched.