Dell EMC VxRail Software Update – Spectre Guest OS leakage mitigation

I posted earlier in the year that Dell EMC had released a Security Advisory to address Spectre (Meltdown doesn’t really affect VMware and hence VxRail).

One of the items that wasn’t addressed in the original fix was Guest OS leakage mitigation between processes within the VM – this required CPU/BIOS microcode updates which were not yet available from Intel.

Those updates were made available from Intel at the beginning of April and it’s taken a while for it to filter through to vSphere and VxRail – the delay is down to VxRail being a fully turn-key appliance which means all software/firmware updates from Dell EMC are fully tested and validated before release.

Updates 4.0.402 and 4.5.152 are now available to download from Dell EMC’s support portal.

Release notes can be found here:
https://support.emc.com/docu80740_VxRail-Appliance-Software-4.0.x-Release-Notes.pdf?language=en_US
https://support.emc.com/docu86659_VxRail-Appliance-Software-4.5.x-Release-Notes.pdf?language=en_US

The accompanying Dell EMC Security Advisory is available here: DSA-2018-074: Dell EMC VxRail Security Update for Multiprocessor Side-Channel Analysis Attacks (Meltdown and Spectre)

VxRail Appliance software 4.0.402 and 4.5.152 contains the Intel microcode fix to complete the resolution of the speculative execution security issues.
VxRail Appliance software 4.0.402 includes fixes for the following security vulnerabilities:

  1. CVE-2017-5753 (Variant 1: bounds check bypass, also known as Spectre) – Complete fix in 4.0.401 and above.
  2. CVE-2017-5715 (Variant 2: branch target injection, also known as Spectre):
    • Mitigates leakage from the hypervisor or guest VMs into a malicious guest VM – Complete fix in 4.0.401 and above.
    • Guest OS leakage mitigation between processes within the VM requires BIOS or CPU microcode update released by Intel and included in this release – Complete fix with either BIOS or CPU microcode update automatically applied through the VxRail 4.0.402 automated software upgrade. No manual BIOS update required for any supported VxRail hardware platforms.
  3. CVE-2017-5754 (Variant 3: rogue data cache load, also known as Meltdown): Does not affect VxRail Appliance.

NOTE: Manual steps are required after the VxRail Appliance software upgrade to 4.0.402 to power cycle the VMs for branch target injection to take effect. More info available within this KB article: https://support.emc.com/kb/519601

Also note that this update does not patch Guest OS!

For more information about Spectre/Meltdown, have a meander to my original posts:
Spectre & Meltdown Vulnerabilities
Spectre & Meltdown Update

Advertisements

Dell EMC updates VxRail software to address Spectre

So Dell EMC have finally released the patches for their VxRail appliances, I know many of my customers were asking about these patches – in a way it’s good it was slightly delayed given how many normal VMware customers experienced issues when patching and how one patch was pulled by VMware!

The good thing about VxRail is that any software patches or updates released have been tried and tested by the Dell EMC CPSD engineering team, so they should be ready for roll out with minimum disruption!

Updates 4.0.401 and 4.5.150 are now available to download from Dell EMC’s support portal.

Release notes can be found here:
https://support.emc.com/docu80740_VxRail-Appliance-Software-4.0.x-Release-Notes.pdf?language=en_US
https://support.emc.com/docu86659_VxRail-Appliance-Software-4.5.x-Release-Notes.pdf?language=en_US

It’s worth noting that at present this patch only contains 2 of the 3 required fixes for Intel to address the Speculative Execution vulnerability (Spectre – Meltdown doesn’t really affect VMware and hence VxRail). The 3rd fix has not yet been released by Intel and Dell EMC basically decided they couldn’t wait any longer as Intel drag their heels!

Spectre & Meltdown Update

So it seems that the microcode patches released by VMware associated with their recent Security Advisory (VMSA-2018-0004) have been pulled….
https://kb.vmware.com/s/article/52345
So that’s ESXi650-201801402-BG, ESXi600-201801402-BG, or ESXi550-201801401-BG.

The microcode patch provided by Intel was buggy and there seems to be issues when VMs access the new speculative execution control mechanism (Haswell & Broadwell processors). However, I can’t seem to find much around what these issues are…

For the time being, if you haven’t applied one of those microcode patches, VMware recommends not doing so and to apply the patches listed in VMSA-2018-0002 instead.

If you have applied the latest patches you will have to edit the config files of each ESXi host and add in a line that hides the new speculative execution control mechanism and reboot the VMs on that host. Detailed information can be found in the KB above.

 

Finally William Lam has created a very handy PowerCLI script that will help provide information about your existing vSphere environment and help identify whether you have hosts that are impacted by Spectre and this new Intel Sighting issue: https://www.virtuallyghetto.com/2018/01/verify-hypervisor-assisted-guest-mitigation-spectre-patches-using-powercli.html

Spectre & Meltdown Vulnerabilities

So at the beginning of the new year, news broke via The Register that there could be a potential security vulnerability to Intel processors (Meltdown) and how it was a problem which couldn’t be easily fixed by a microcode update because of how the Intel architecture does speculative execution of code (in a nutshell this is how modern processors try to ‘predict’ the code it needs to execute next, before the current executing code produces a result – all modern processors do this to some extent in order to fill its internal pipeline and speed up processing)…. this quickly blew up into a storm where additional vulnerabilities were identified (Spectre) which affects Intel, AMD and ARM processors!

Three closely related vulnerabilities involving the exploit of speculative execution in CPUs were made public:

Variant 1 & 2 have been branded as Spectre, with Variant 3 known as Meltdown.

The fallout is spectacular…. lawsuits being filled against Intel…. videos of exploits (proof of concepts) already on youtube….. customers going crazy that Russians/North Koreans could be stealing data from their systems….. all this because chip manufacturers tried to outdo each other by putting speed of processing above security.

The best article I’ve read that explains how Speculative Execution works and how these vulnerabilities could be exploited can be found here: http://frankdenneman.nl/2018/01/05/explainer-spectre-meltdown-graham-sutherland/

It seems that at the moment the only way to minimise your exposure to potential exploits is to patch the OS or Hypervisor, however this isn’t without issues as people have started reporting that it adds an overhead to performance. In all honesty, I doubt personal users will notice a performance hit on their day to day usage (home/office applications or games), it will however impact anyone that undertakes high IO or system-call intensive applications (such as DBs, email, Big-data/data-mining)… a performance hit of between 5-30% depending on application!!

VMware have stated that at present they don’t believe Meltdown to be an issue to their products because ESXi does not run untrusted user mode code, and Workstation and Fusion rely on the protection that the underlying operating system provides. For Spectre, they have released an article detailing their response to the issues and 2 Security Advisories which addresses the vulnerabilities and how they can be mitigated, VMSA-2018-0002 has been superseded by VMSA-2018-0004.

From what I can see, the first Security Advisory consists of security patches to ESXi that addresses the vulnerability to mitigate against leakage from the hypervisor or guest VMs into a malicious guest VM – these were patches made available late last year before the news broke (which makes you wonder how long the industry have known about it).

The second Security Advisory is a full minor update to vCenter (5.5, 6.0 and 6.5) in order to support both newer vSphere ESXi patches and Microcode/BIOS patches to hardware. This seems to be what they call “Hypervisor-Assisted Guest mitigation” which virtualises the new speculative-execution control mechanism for guest VMs so that a Guest OS can mitigate leakage between processes within the VM – and this mitigation requires specific microcode patches from platform vendors which seem to introduce these new ‘speculative-execution control features’. More information on how to apply this Security Advisory can be found here: https://kb.vmware.com/s/article/52085.

Note: The update patches found in VMSA-2018-0004 will mean that these new CPU features will be exposed to Guest VMs and as such vMotion to ESXi hosts without the microcode or hypervisor patches applied will be prevented. However, if you have an EVC cluster, it looks like vCenter will suppress the new features from VMs to enable vMotion compatibility until all hosts have been upgraded (after which it will enable those features) – unpatched hosts will not be allowed to join an EVC cluster that has been patched.

It’s worth noting that Guest VMs should also have their OS updated with the latest security patches for effective mitigation of these known vulnerabilities!

Finally, VMware have released an article regarding these vulnerabilities and whether their virtual appliances are affected: https://kb.vmware.com/s/article/52264. It currently looks like vSphere Integrated Containers and vRealize Automation have not been patched yet.