A short wrapup to the latest Intel security leaks for VMware Administrators:

• CVE-2018-3639 aka Speculative Store Bypass (SSB), Variant 4
• CVE-2018-3640 aka Rogue System Register Read (RSRE), Variant 3a.

Once again we have to patch the whole stack:

1. Update vCenter
2. CPU Microcode (BIOS Update)
3. VMware ESXi Hypervisor Patch
4. Check if the new CPU flags are mapped to a new VM
5. All VMs – Shutdown and start (reboot is not enough!)
6. Update Guest OS

Get some hints about EVC-Mode and how to proof the complete stack …

EVC-Mode

In my environment with:

• vCenter 6.5 U2b
• ESXi 6.5 U2 +
  • ESXi650-201806401-BG
  • ESXi650-201806402-BG

My mixed Dell Clusters with R740 + R730 (EVC Mode Intel® ‘Broadwell’-Generation) didn’t brought the new CPU flag “cpuid.SSBD” to a new VM. I had to disable and re-enable the EVC Mode. After that step it worked. Regarding to VMware KB 5111 EVC should map the flags automatically in a complete patched Cluster. 

How to proof?

• A Blogpost from William Lam explains how you could check if your VM’s would see the new CPU flags that are required for patching Spectre
  • https://www.virtuallyghetto.com/2018/01/verify-hypervisor-assisted-guest-mitigation-spectre-patches-using-powercli.html
  • His Code does not check the last Speculative Store Bypass (SSB), Variant 4 yet
    • you have to add in his function https://github.com/lamw/vghetto-scripts/blob/master/powershell/VerifyESXiMicrocodePatch.ps1 (Line 57-79) the $SSBDPass with $cpuFeature.key -eq “cpuid.SSBD”
• In Windows Guests you cloud check it with a simple PowerShell Code https://support.microsoft.com/en-us/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell
• For Linux Guests a script is also available https://github.com/speed47/spectre-meltdown-checker

Other Useful links:

VMware Security Advisories VMSA-2018-0012.1

VMware KB 54951

Stay secure 😉