How Runecast can help you with L1TF vulnerability > ProVirtualzone

In this blog post, we will discuss how Runecast can help you with L1TF vulnerability.

Some months ago we had a vulnerability Meltdown and Spectre affecting Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. That vulnerability allows a rogue process to read all memory, even when it is not authorized to do so. A vulnerability that affected and had an enormous impact in Virtual Infrastructure (but not only) all over the IT world we now facing a new flaw affecting Intel processors (until now it seems the only that is affected with this vulnerability). The name is Foreshadow/L1 Terminal Fault (L1TF).

What is L1TF?

L1TF is again another flaw affecting CPUs’ with the use of speculative execution, similar to previous Meltdown and Spectre. This flaw provides the ability to read memory held inside the L1 cache.

It is very similar to previously Meltdown and Spectre. There are three varieties of L1TF that have been identified.

Affecting Intel Software Guard Extensions – SGX (CVE-2018-3615 aka Foreshadow).
Affecting Operations Systems & System Management Mode (CVE-2018-3620).
Affecting Hypervisor Software (CVE-2018-3646)

According to Intel Virtual Machines can be profoundly affected and vulnerable to this if the Hypervisor and Virtual Machines Guest OS are not patched.

What systems can be affected?

Resuming Intel report:

This side-channel method can be exploited in three different environments:

L1 Terminal Fault-SGX (CVE-2018-3615)—Systems with microprocessors utilizing speculative execution and Intel® Software Guard Extensions (Intel® SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via side-channel analysis.
L1 Terminal Fault-OS/ SMM (CVE-2018-3620)—Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis.
L1 Terminal Fault-VMM (CVE-2018-3646)—Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and side-channel analysis.

Impact

Malicious applications may be able to infer the values of data in the operating system memory, or data from other applications.
A malicious guest virtual machine (VM) may be able to infer the values of data in the VMM’s memory, or values of data in the memory of other guest VMs.
Malicious software running outside of SMM may be able to infer values of data in SMM memory.
Malicious software running outside of an Intel® SGX enclave or within an enclave may be able to infer data from within another Intel SGX enclave.

This is again an enormous vulnerability in our systems, particularly Virtual Infrastructures.

After resume of what is L1TF and what vulnerabilities Intel CPUs have, let us discuss how can you protect your Virtual Systems against this vulnerability and how can Runecast Analyzer help customers.

In this blog post, we will only focus on VMware environments (the only Hypervisor that Runecast supports for now). Runecast Analyzer with its new version Runecast 2.0 has a lot of improvements and in this case also updated to identify any VMware systems that are not correctly patched against the L1TF vulnerability.

With Runecast Analyzer you can scan your VMware environment to analyze and find any security vulnerabilities, configuration issues, log issues or any wrong Best Practices and Runecast Analyzer will provide the solution from the VMware KB or VMware

First, we will use Runecast 2.0(for users that still didn’t upgrade their Runecast to 2.0 we recommend to upgrade to use the latest functionalities and also the new HTML5 dashboard and HTML5 plugin for 6.7 ) and will scan our vCenters 6.5 and 6.7 with vSAN. Will also show some quick examples from Runecast v1.8.1

In our vCenter 6.5, we already see how Runecast analyzes the environment and is proposing some improvements, but essential is stating that this system has not been patched for the L1TF vulnerability.

Runecast v2.0

vCenter 6.5 and vSAN 6.6

After a scan on this vCenter, this is the first dashboard.

Then selecting “Issues Lists” you will see a list of all issues, and you can check if your systems are vulnerable to L1TF, and other issues.

In our analyze from Runecast we notice that this system is also vulnerable for the Meltdown and Spectre vulnerability. Is highly recommended that we apply VMware patches for this flaw in this systems(these are test environments).

Section 3

In the section, we have a Speculative Execution with L1 Terminal Fault-VMM. This is the vulnerability affecting Hypervisor Software.

Note: VMware Patches and Information for this particular vulnerability you can find it here: KB55636, KB55767, KB55806, and CVE-2018-3646.

As we can check in the next image, clicking on the issue Runecast Analyzer will provide all the information about the Speculative Execution vulnerability.

To have information which particular vCenter / ESXi hosts have the vulnerability click “Findings” and will display all vCenter and ESXi hosts information that was found with this issue and needs to be patched.

Section 4

Even not fit in the main subject of this article, since is regarding L1TF vulnerability, we will also display this issues for the previous Spectre and Meltdown vulnerability.
Runecast Analyzer can provide you a full search for new and old vulnerabilities regarding your VMware Infrastructure.

In this issue, if you click on the issue, you will also get all the information about the issue and VMware KB source and also which ESXi hosts have the issues.

vCenter 6.7 and vSAN 6.7

Analyzing this vCenter, we can check that there is no information regarding L1TF vulnerability. So in case, we don’t need to worry about patching this system for this specific vulnerability.

Runecast v1.8.1

vCenter 6.5 and vSAN 6.6

After a scan on this vCenter, this is the first dashboard.

Like in Runecast Analyzer 2.0 in this version Runecast can also check if an L1TF vulnerability is present in this system and also Spectre and Meltdown vulnerability.

Conclusion

After you check your VMware environment with Runecast Analyzer, you can start patching your systems.

Runecast Analyzer provides you full information about your security issues (and others). Runecast Analyzer auto-update itself to download the latest VMware KB articles. You can schedule automatic checks and send a report to your email and have a VMware environment more secure.

However, before is start patching your systems, do you know what are VMware recommendations for patching or disable hyperthreading? If not, you should read all VMware recommendations regarding this subject carefully.

You can patch your system(vCenter or ESXi hosts), but you can also disable hyperthreading (but will still be vulnerable to sequential-context attack vector) or leave don’t touch the hyperthreading and enable side-channel-aware scheduler. There is some potential impact on your systems by doing this, so you should read CAREFULLY VMware notes regarding this subject before starting.

Also have a look also to blog post from Warren Legg from Runecast regarding this subject.

Note: Share this article, if you think it is worth sharing.