What is it?
The L1TF (L1 Terminal Fault) vulnerability has been identified as another Intel based speculative execution side channel vulnerability, similar to the Spectre and Meltdown vulnerabilities which made headlines earlier this year. It is currently only identified as a theoretical vulnerability with no proof of its malicious use in the wild.
How is it a risk?
The risk of the vulnerability is that when specially crafted malicious code is executed on a unprotected VM in an unprotected shared virtualisation environment, CPU cache memory from other VMs running on the same CPU can be obtained. The contents of this cache memory could be such things such as reading passwords or private keys from other unprotected VMs.
What is the impact?
The impact of this by a bad actor is potentially leaking of sensitive information across virtual machine boundaries, which usually should not be possible. Obviously this is more of a concern across shared and public cloud offerings, than private clouds.
What systems are at risk?
- All unpatched operating systems
- Virtual machines running on VMware vSphere and other hypervisors
How do we patch for it?
To completely cover your VMware environment from L1TF it means the following steps need to be taken;
- Identifying if your VMware environment and VMs are affected and to what degree
- Identifying the impact of the fixes (see next question for details)
- Implementing the fixes, which will most likely include the following sub steps;
– Upgrading vCenter to a patched version
– Rebooting each host and updating the firmware for the Intel CPU
– Installing the ESXi patch and restarting each host again
– Enabling the ESXi L1TF threat prevention setting and restarting each host
– Installing any applicable virtual appliances and OS’s with L1TF patches
What is the impact of patching and enabling the threat prevention?
As outlined in the previous question, to completely cover your VMware environment from L1TF it means enabling the L1TF threat prevention setting on each ESXi host. This setting will have a CPU impact to the host as it includes disabling the hyper threading feature of Intel CPU’s. Hyper threading technology is responsible for giving, in some cases, up to double the performance of Intel CPU performance within servers. Recent benchmarks across environments indicate that this number is closer to 10-20%, but it really depends on the types of applications running within your environment. By disabling hyper threading, the CPU capacity will be decreased and this may or may not have an impact on your ability to comfortably run your current virtual machine workloads on existing hardware, especially in a failed server or maintenance situation.
There has been a PowerCLI utility provided by VMware that can be run against a VMware environment to give an indication as to the risk of making this change to environment. The recommendations are based on the current workloads and looking back at rolled up performance data going back a number of months provided by vCenter.
Stay tuned for more in depth information on the L1TF threat and how it relates to VMware environments.
Since 2002, Perfekt has been delivering IT infrastructure solutions, services and consulting to address the business challenges IT organisations face within their respective companies from the continually changing IT landscape.