{"id":928,"date":"2018-08-03T13:42:08","date_gmt":"2018-08-03T11:42:08","guid":{"rendered":"http:\/\/172.16.10.10:8080\/?p=928"},"modified":"2018-08-03T13:46:38","modified_gmt":"2018-08-03T11:46:38","slug":"spectre-ng-cve-2018-3639-and-cve-2018-3640","status":"publish","type":"post","link":"http:\/\/vblog.hochsticher.de\/?p=928","title":{"rendered":"Spectre NG (CVE-2018-3639 and CVE-2018-3640)"},"content":{"rendered":"<p>A short wrapup to the latest Intel security leaks for VMware Administrators:<\/p>\n<ul>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-3639\" target=\"_blank\" rel=\"noopener\">CVE-2018-3639<\/a> aka Speculative Store Bypass (SSB), Variant 4<\/li>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-3640\" target=\"_blank\" rel=\"noopener\">CVE-2018-3640<\/a> aka Rogue System Register Read (RSRE), Variant 3a.<\/li>\n<\/ul>\n<p>Once again we have to patch the whole stack:<\/p>\n<ol>\n<li>Update vCenter<\/li>\n<li>CPU Microcode (BIOS Update)<\/li>\n<li>VMware ESXi Hypervisor Patch<\/li>\n<li>Check if the new CPU flags are mapped to a new VM<\/li>\n<li>All VMs &#8211; Shutdown and start (<strong>reboot is not enough!<\/strong>)<\/li>\n<li>Update Guest OS<\/li>\n<\/ol>\n<p>Get some hints about EVC-Mode and how to proof the complete stack &#8230;<\/p>\n<p><!--more--><\/p>\n<h3>EVC-Mode<\/h3>\n<p>In my environment with:<\/p>\n<ul>\n<li>vCenter 6.5 U2b<\/li>\n<li>ESXi 6.5 U2 +\n<ul>\n<li>ESXi650-201806401-BG<\/li>\n<li>ESXi650-201806402-BG<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"text-align: left;\">My mixed Dell Clusters with R740 + R730 (EVC Mode&nbsp;Intel\u00ae &#8216;Broadwell&#8217;-Generation) didn&#8217;t brought the new CPU flag &#8220;cpuid.SSBD&#8221; to a new VM. I had to disable and re-enable the EVC Mode. After that step it worked. Regarding to <a href=\"https:\/\/kb.vmware.com\/s\/article\/55111\" target=\"_blank\" rel=\"noopener\">VMware KB 5111<\/a>&nbsp;EVC should map the flags automatically&nbsp;in a complete patched Cluster.&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><strong>How to proof?<\/strong><\/p>\n<ul>\n<li style=\"text-align: left;\">A Blogpost from William Lam explains how&nbsp;you could check if your VM&#8217;s would see the new CPU flags that are required for patching Spectre\n<ul>\n<li><a href=\"https:\/\/www.virtuallyghetto.com\/2018\/01\/verify-hypervisor-assisted-guest-mitigation-spectre-patches-using-powercli.html\" target=\"_blank\" rel=\"noopener\">https:\/\/www.virtuallyghetto.com\/2018\/01\/verify-hypervisor-assisted-guest-mitigation-spectre-patches-using-powercli.html<\/a><\/li>\n<li><strong><span style=\"color: #ff0000;\">His Code does not check the last Speculative Store Bypass (SSB), Variant 4 yet<\/span><\/strong>\n<ul>\n<li>you have to add in his function&nbsp;<a href=\"https:\/\/github.com\/lamw\/vghetto-scripts\/blob\/master\/powershell\/VerifyESXiMicrocodePatch.ps1\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/lamw\/vghetto-scripts\/blob\/master\/powershell\/VerifyESXiMicrocodePatch.ps1<\/a>&nbsp;(Line 57-79) the&nbsp;$SSBDPass with&nbsp;$cpuFeature.key -eq &#8220;cpuid.SSBD&#8221;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li style=\"text-align: left;\">In Windows Guests you cloud check it with a simple PowerShell Code&nbsp;<a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4074629\/understanding-the-output-of-get-speculationcontrolsettings-powershell\" target=\"_blank\" rel=\"noopener\">https:\/\/support.microsoft.com\/en-us\/help\/4074629\/understanding-the-output-of-get-speculationcontrolsettings-powershell<\/a><\/li>\n<li style=\"text-align: left;\">For Linux&nbsp;Guests a script is also available&nbsp;<a href=\"https:\/\/github.com\/speed47\/spectre-meltdown-checker\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/speed47\/spectre-meltdown-checker<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h4>Other Useful links:<\/h4>\n<p>VMware Security Advisories&nbsp;<a href=\"https:\/\/www.vmware.com\/security\/advisories\/VMSA-2018-0012.html\" target=\"_blank\" rel=\"noopener\">VMSA-2018-0012.1<\/a><\/p>\n<p>VMware <a href=\"https:\/\/kb.vmware.com\/s\/article\/54951\" target=\"_blank\" rel=\"noopener\">KB 54951<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>Stay secure \ud83d\ude09<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A short wrapup to the latest Intel security leaks for VMware Administrators: CVE-2018-3639 aka Speculative Store Bypass (SSB), Variant 4 CVE-2018-3640 aka Rogue System Register Read (RSRE), Variant 3a. Once again we have to patch the whole stack: Update vCenter CPU Microcode (BIOS Update) VMware ESXi Hypervisor Patch Check if the new CPU flags are mapped to a new VM All VMs &#8211; Shutdown and start (reboot is not enough!) Update Guest OS Get some hints about EVC-Mode and how&#8230;<\/p>\n<p class=\"read-more\"><a class=\"btn btn-default\" href=\"http:\/\/vblog.hochsticher.de\/?p=928\"> Read More<span class=\"screen-reader-text\">  Read More<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":929,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[4,7],"tags":[],"class_list":["post-928","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-powercli","category-vsphere"],"aioseo_notices":[],"_links":{"self":[{"href":"http:\/\/vblog.hochsticher.de\/index.php?rest_route=\/wp\/v2\/posts\/928","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/vblog.hochsticher.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/vblog.hochsticher.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/vblog.hochsticher.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/vblog.hochsticher.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=928"}],"version-history":[{"count":5,"href":"http:\/\/vblog.hochsticher.de\/index.php?rest_route=\/wp\/v2\/posts\/928\/revisions"}],"predecessor-version":[{"id":934,"href":"http:\/\/vblog.hochsticher.de\/index.php?rest_route=\/wp\/v2\/posts\/928\/revisions\/934"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/vblog.hochsticher.de\/index.php?rest_route=\/wp\/v2\/media\/929"}],"wp:attachment":[{"href":"http:\/\/vblog.hochsticher.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=928"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/vblog.hochsticher.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=928"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/vblog.hochsticher.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=928"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}