Spectre NG (CVE-2018-3639 and CVE-2018-3640)

Spectre NG (CVE-2018-3639 and CVE-2018-3640)

A short wrapup to the latest Intel security leaks for VMware Administrators:

Once again we have to patch the whole stack:

  1. Update vCenter
  2. CPU Microcode (BIOS Update)
  3. VMware ESXi Hypervisor Patch
  4. Check if the new CPU flags are mapped to a new VM
  5. All VMs – Shutdown and start (reboot is not enough!)
  6. Update Guest OS

Get some hints about EVC-Mode and how to proof the complete stack …

EVC-Mode

In my environment with:

  • vCenter 6.5 U2b
  • ESXi 6.5 U2 +
    • ESXi650-201806401-BG
    • ESXi650-201806402-BG

My mixed Dell Clusters with R740 + R730 (EVC Mode Intel® ‘Broadwell’-Generation) didn’t brought the new CPU flag “cpuid.SSBD” to a new VM. I had to disable and re-enable the EVC Mode. After that step it worked. Regarding to VMware KB 5111 EVC should map the flags automatically in a complete patched Cluster. 

 

How to proof?

 

Other Useful links:

VMware Security Advisories VMSA-2018-0012.1

VMware KB 54951

 

Stay secure 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.