Intel L1 Terminal Fault – VMM Vulnerability
What’s Intel L1 Terminal Fault?
When a program attempts to access data in memory, the logical memory address is translated to a physical address by the hardware. Accessing a logical or linear address that is not mapped to a physical location on the hardware will result in a terminal fault. Once the fault is triggered, there is a gap before resolution where the processor will use speculative execution to try to load data. During this time, the processor could speculatively access the level 1 data cache (L1D), potentially allowing side-channel methods to infer information that would otherwise be protected.
This side-channel method can be exploited in three different environments:
- L1 Terminal Fault-SGX (CVE-2018-3615): Systems with microprocessors utilizing speculative execution and Intel SGX may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via side-channel analysis.
- L1 Terminal Fault-OS/ SMM (CVE-2018-3620): Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis.
- L1 Terminal Fault-VMM (CVE-2018-3646): Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and side-channel analysis.
L1 Terminal Fault Impact Summary
- Malicious applications may be able to infer the values of data in the operating system memory, or data from other applications.
- A malicious guest virtual machine (VM) may be able to infer the values of data in the VMM’s memory, or values of data in the memory of other guest VMs.
- Malicious software running outside of SMM may be able to infer values of data in SMM memory.
- Malicious software running outside of an Intel SGX enclave or within an enclave may be able to infer data from within another Intel SGX enclave.
L1 Terminal Fault Mitigation
Intel has released new microcode for many processors affected by L1TF. This modifies some operations to implicitly remove data from the L1D during certain privilege transitions. It also provides a method by which software can explicitly flush the L1D by writing 1 to bit 0 of a new model specific register, IA32_FLUSH_CMD (MSR 0x10B). System manufacturers and system software vendors provide these microcode changes via BIOS updates.
While these microcode updates provide important mitigation during enclave entry and exit, updated microcode by itself is not sufficient to protect against L1TF. Deploying OS and VMM updates is also required to mitigate L1TF.
OS and Driver Developers
Whether the operating system (OS) is running on bare-metal or as a virtual machine, the OS is responsible for mitigating against exploitation of paging structure entries (PTEs) by malicious applications. To do this, the OS can ensure vulnerable PTEs refer only to specifically-selected physical addresses, such as those addresses outside of available cached memory or addresses that do not contain secrets.
There are four typical cases that need mitigation in an OS:
Pages with no valid mappings.
Pages written to other storage (swapped out), such as when the OS is short of memory.
Pages where the application has requested the OS disable access.
Pages in transitional states where the operating system needs to temporarily block access.
For full details on these, go to Deep Dive: Intel Analysis of L1 Terminal Fault.
If you are an OS developer working with System Management Mode (SMM), review the SMM section in the Deep Dive: Intel Analysis of L1 Terminal Fault for guidance on whether further assessment of your SMM is suggested. The Deep Dive: CPUID Enumeration and Architectural MSRs provides further insight.
Virtual Machine Monitor Developers
VMMs require some similar mitigations as OSes, but there are additional challenges relating to the guest view of MAXPHYADDR and interactions between logical processors on hyperthreading-enabled systems.
When guests are trusted or belong to the same security domain, no mitigation is needed. However, VMMs generally allow untrusted guests to place arbitrary translations in the guest paging structure entries because VMMs assume any entries will be translated with VMM-controlled EPT. But EPT translation is not performed in the case of an L1 terminal fault.
This means a malicious guest OS may be able to set up values in its paging structure entries that attack arbitrary host addresses, theoretically enabling an exploit to access any data present in the L1D on the same physical core as the malicious guest. For this reason, VMM mitigations are focused on ensuring secret data is not present in the L1D when executing guests. For full details on these, go to Deep Dive: Intel Analysis of L1 Terminal Fault.
Both the VMM and the guest OS may have mitigations for L1TF, so they should avoid actions that interfere with each others’ mitigations. The VMM should not trust the guest is performing any particular mitigation, but should follow the conventions described in the VMM Assistance for Guest OS Mitigations section of Deep Dive: Intel Analysis of L1 Terminal Fault to avoid interfering with any guest mitigations.
Mitigations in nested VMM environments require the first level VMM to check the MSRs of the nested VMMs and vice versa. Refer to the Nested VMM Environments section in Deep Dive: Intel Analysis of L1 Terminal Fault for further details.
Affected VMware Products by L1 Terminal
Regarding to preventing any attack to virtual machines that running on VMware virtual environments, VMware has release some patches for the below products:
- VMware vCenter Server (VC)
- VMware vSphere ESXi (ESXi)
- VMware Workstation Pro / Player (WS)
- VMware Fusion Pro / Fusion (Fusion)
The proper patch number has been mentioned in the below table for each product:
Replace with – Apply Patch
*These patches DO NOT mitigate the Concurrent-context attack vector previously described by default. For details on the three-phase vSphere mitigation process please see KB55806 and for the mitigation process for Workstation and Fusion please see KB57138.
**These patches include microcode updates required for mitigation of the Sequential-context attack vector. This microcode may also be obtained from your hardware OEM in the form of a BIOS or firmware update. Details on microcode that has been provided by Intel and packaged by VMware is enumerated in the patch KBs found in the Solution section of this document.
ESXi670-201808401-BG (esx-base): https://kb.vmware.com/kb/56537
ESXi670-201808402-BG (microcode): https://kb.vmware.com/kb/56538
ESXi670-201808403-BG (esx-ui): https://kb.vmware.com/kb/56897
ESXi650-201808401-BG (esx-base): https://kb.vmware.com/kb/56547
ESXi650-201808402-BG (microcode): https://kb.vmware.com/kb/56563
ESXi650-201808403-BG (esx-ui): https://kb.vmware.com/kb/56896
ESXi600-201808401-BG (esx-base): https://kb.vmware.com/kb/56552
ESXi600-201808402-BG (microcode): https://kb.vmware.com/kb/56553
ESXi600-201808403-BG (esx-ui): https://kb.vmware.com/kb/56895
ESXi550-201808401-BG (esx-base): https://kb.vmware.com/kb/56557
ESXi550-201808402-BG (microcode): https://kb.vmware.com/kb/56558
ESXi550-201808403-BG (esx-ui): https://kb.vmware.com/kb/56894
VMware Workstation Pro 14.1.3
VMware Fusion Pro 10.1.3
Affected VMware Virtual Appliances by L1 Terminal
In addition of VMware products, VMware has released patches for virtual appliances:
- vCloud Usage Meter (UM)
- Identity Manager (vIDM)
- vCenter Server (vCSA)
- vSphere Data Protection (VDP)
- vSphere Integrated Containers (VIC)
- vRealize Automation (vRA)
VMware Virtual Appliance Mitigations address L1 Terminal Fault – OS vulnerability. Successful exploitation of this issue may lead to local information disclosure of sensitive information. Unaffected products lines are documented in KB55807.
Actually, there is no patch for none of them and we have to wait for release OS patches.
Follow me to find further news about this issue.