Dell EMC VxRail Software Update – Spectre Guest OS leakage mitigation

I posted earlier in the year that Dell EMC had released a Security Advisory to address Spectre (Meltdown doesn’t really affect VMware and hence VxRail).

One of the items that wasn’t addressed in the original fix was Guest OS leakage mitigation between processes within the VM – this required CPU/BIOS microcode updates which were not yet available from Intel.

Those updates were made available from Intel at the beginning of April and it’s taken a while for it to filter through to vSphere and VxRail – the delay is down to VxRail being a fully turn-key appliance which means all software/firmware updates from Dell EMC are fully tested and validated before release.

Updates 4.0.402 and 4.5.152 are now available to download from Dell EMC’s support portal.

Release notes can be found here:

The accompanying Dell EMC Security Advisory is available here: DSA-2018-074: Dell EMC VxRail Security Update for Multiprocessor Side-Channel Analysis Attacks (Meltdown and Spectre)

VxRail Appliance software 4.0.402 and 4.5.152 contains the Intel microcode fix to complete the resolution of the speculative execution security issues.
VxRail Appliance software 4.0.402 includes fixes for the following security vulnerabilities:

  1. CVE-2017-5753 (Variant 1: bounds check bypass, also known as Spectre) – Complete fix in 4.0.401 and above.
  2. CVE-2017-5715 (Variant 2: branch target injection, also known as Spectre):
    • Mitigates leakage from the hypervisor or guest VMs into a malicious guest VM – Complete fix in 4.0.401 and above.
    • Guest OS leakage mitigation between processes within the VM requires BIOS or CPU microcode update released by Intel and included in this release – Complete fix with either BIOS or CPU microcode update automatically applied through the VxRail 4.0.402 automated software upgrade. No manual BIOS update required for any supported VxRail hardware platforms.
  3. CVE-2017-5754 (Variant 3: rogue data cache load, also known as Meltdown): Does not affect VxRail Appliance.

NOTE: Manual steps are required after the VxRail Appliance software upgrade to 4.0.402 to power cycle the VMs for branch target injection to take effect. More info available within this KB article:

Also note that this update does not patch Guest OS!

For more information about Spectre/Meltdown, have a meander to my original posts:
Spectre & Meltdown Vulnerabilities
Spectre & Meltdown Update


MTI Secure Hyper-Converged Infrastructure Webinar

So last Thursday I was asked by the marketing peeps at my company, MTI Technology, to run a webinar with my colleague, Andrew Tang, around what Hyper-Converged Infrastructure is all about, why it’s suddenly become so popular within the industry, and how best to secure a HCI solution.

The webinar has now been uploaded for public consumption…. and since it kind of went ok – apart from me suffering from a runny nose throughout (sorry for all the sniffing) – I’ve decided to blog about the webinar for you all to watch.

I don’t really touch upon product in this webinar, as the last thing customers want is to be shoehorned into a certain vendor product… instead I hope the webinar gives enough information about what HCI is in general, why customers should be looking at HCI during their next infrastructure refresh, and more importantly what to consider when evaluating a HCI solution!

Feel free to pop along and access the webinar recording here: (sorry, you have to fill in your details to gain access….)

Finally, if you’re interested in talking more about HCI then feel free to contact me or register for one of MTI’s HCI Discovery Workshops:

Spectre & Meltdown Vulnerabilities

So at the beginning of the new year, news broke via The Register that there could be a potential security vulnerability to Intel processors (Meltdown) and how it was a problem which couldn’t be easily fixed by a microcode update because of how the Intel architecture does speculative execution of code (in a nutshell this is how modern processors try to ‘predict’ the code it needs to execute next, before the current executing code produces a result – all modern processors do this to some extent in order to fill its internal pipeline and speed up processing)…. this quickly blew up into a storm where additional vulnerabilities were identified (Spectre) which affects Intel, AMD and ARM processors!

Three closely related vulnerabilities involving the exploit of speculative execution in CPUs were made public:

Variant 1 & 2 have been branded as Spectre, with Variant 3 known as Meltdown.

The fallout is spectacular…. lawsuits being filled against Intel…. videos of exploits (proof of concepts) already on youtube….. customers going crazy that Russians/North Koreans could be stealing data from their systems….. all this because chip manufacturers tried to outdo each other by putting speed of processing above security.

The best article I’ve read that explains how Speculative Execution works and how these vulnerabilities could be exploited can be found here:

It seems that at the moment the only way to minimise your exposure to potential exploits is to patch the OS or Hypervisor, however this isn’t without issues as people have started reporting that it adds an overhead to performance. In all honesty, I doubt personal users will notice a performance hit on their day to day usage (home/office applications or games), it will however impact anyone that undertakes high IO or system-call intensive applications (such as DBs, email, Big-data/data-mining)… a performance hit of between 5-30% depending on application!!

VMware have stated that at present they don’t believe Meltdown to be an issue to their products because ESXi does not run untrusted user mode code, and Workstation and Fusion rely on the protection that the underlying operating system provides. For Spectre, they have released an article detailing their response to the issues and 2 Security Advisories which addresses the vulnerabilities and how they can be mitigated, VMSA-2018-0002 has been superseded by VMSA-2018-0004.

From what I can see, the first Security Advisory consists of security patches to ESXi that addresses the vulnerability to mitigate against leakage from the hypervisor or guest VMs into a malicious guest VM – these were patches made available late last year before the news broke (which makes you wonder how long the industry have known about it).

The second Security Advisory is a full minor update to vCenter (5.5, 6.0 and 6.5) in order to support both newer vSphere ESXi patches and Microcode/BIOS patches to hardware. This seems to be what they call “Hypervisor-Assisted Guest mitigation” which virtualises the new speculative-execution control mechanism for guest VMs so that a Guest OS can mitigate leakage between processes within the VM – and this mitigation requires specific microcode patches from platform vendors which seem to introduce these new ‘speculative-execution control features’. More information on how to apply this Security Advisory can be found here:

Note: The update patches found in VMSA-2018-0004 will mean that these new CPU features will be exposed to Guest VMs and as such vMotion to ESXi hosts without the microcode or hypervisor patches applied will be prevented. However, if you have an EVC cluster, it looks like vCenter will suppress the new features from VMs to enable vMotion compatibility until all hosts have been upgraded (after which it will enable those features) – unpatched hosts will not be allowed to join an EVC cluster that has been patched.

It’s worth noting that Guest VMs should also have their OS updated with the latest security patches for effective mitigation of these known vulnerabilities!

Finally, VMware have released an article regarding these vulnerabilities and whether their virtual appliances are affected: It currently looks like vSphere Integrated Containers and vRealize Automation have not been patched yet.

MTI/IDG Whitepaper

My company – MTI Techology – recently undertook an engagement with IDG to produce a whitepaper highlighting how VMware NSX could be used to address Security, Automation and Innovation within the Financial market.

TBH, the whitepaper can apply to any market who are experiencing the same business challenges!

EDIT: Forgot to mention that you need to sign up for a free account in order to download the whitepaper. =)

Enterprise Security & Risk Management – 30th Nov 2016, Victoria London

So my company is sponsoring the Enterprise Security & Risk Management event at Victoria Park Plaza Hotel, London this coming Wednesday.

As such, I’ve been asked to attend with some of my security colleagues to help spread the NSX love… =)

Not many people are aware that MTI Technology has both a Data Centre and Security business unit, which means we are clearly positioned as a Solutions Provider that can sell you tin (storage/servers/networks), virtualise your workloads and also secure your critical data!

As one of VMware’s NSX Focused Partners in the UK, we are able to offer the full network virtualisation and security package! Whether it’s just using NSX to offer micro-segmentation and automation of network & security policies, or whether you require deeper packet inspection with the likes of Palo Alto or Trend Deep Security.

Anyways, if anyone’s in attendance at the ESRM event on Wednesday, then drop by the MTI stand to say hi and find out more about what we do, which vendors we work with and also why we all love NSX! =P

Oh, and we’re also giving away a Sonos Play 1 Wireless Speaker as a raffle prize! =)

Changes to VMware NSX Licensing

So yesterday VMware announced a new licensing model for NSX – VMware’s Software-Defined Network product.

Up until now, VMware have only had a single version of NSX available to buy – which customers were not too fond off – it was an ‘all-or-nothing’ approach to SDN which customers found too restricting. I’m glad to see that VMware have taken on board all the feedback from customers and partners and amended their licensing model.

NSX is now available in three editions: Standard, Advanced and Enterprise – all licensed per socket (although there is a per-user license model for the Advanced edition to align with VDI deployments).

Existing NSX for vSphere customers automatically get allocated with Enterprise edition licenses. Existing NSX for Horizon customers automatically get allocated NSX Advanced edition licenses. The existing NSX for vSphere and Horizon offerings reached End of Availability on 3rd May 2016.

NSX licenses

VMware have positioned the three new editions according to the three main use cases:

  • Automation (virtual networking, automatically deploy network services via vRealize Automation)
  • Security (Micro-segmentation, 3rd party integration, securing VDI)
  • Application Continuity (Multi-site NSX deployments, DR, Hybrid Cloud networking)

So if all you want are the benefits of virtual networks – collapsing the switching and routing into the kernel, shortening network provisioning times, automating network configuration – then you will only require the Standard edition (and at roughly £1500 per cpu license, it’s around a third of the original NSX price).

In reality, a lot of customers will probably purchase the Advanced edition (at roughly £3400 per cpu license) as they will want the security features (distributed firewall) to allow them to implement micro-segmentation, as well as the ability for 3rd party integration with the likes of Trend Micro, Palo Alto Networks, Checkpoint, etc.

So whilst the Advanced edition will work out nearly £1000 less per CPU, it’s interesting that the Enterprise edition is going to be almost £1000 more expensive than the original price for NSX – and for pretty much the same product feature set! The only new feature that I can see in the Enterprise edition is possibly the increased support of Hardware VTEPs (from Arista, Dell, Juniper, maybe Cisco) – pretty much every other feature is currently available in the NSX for vSphere product…. so I’m not sure how VMware can justify the price hike for exactly the same product?!?

In fact this was raised by a number of partners today during a NSX Partner Round-table that I attended. I can only assume that the price hike is to cover any new features that might be in future roadmaps??

One thing worth noting is that NSX licensing applies to any active workload in a DR
site. This means there is no requirement for NSX licenses at the DR site as long as there are no active workloads running there!

For more information visit
Additional details on NSX licensing edition features can be found at: