Unless you have been on a very long vacation without internet access (The BEST type of vacation!) you should know of the Spectre (CVE-2017-5753 & CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities that affect nearly every computer chip manufactured in the last 20 years.
I am not going to provide any specific details on these vulnerabilities since there are more than enough material already available, which you can read here:
I do however want to provide more detailed information related to VMware specifically, as well as different ways on how you can verify what in your VMware environment is vulnerable to these exploits:
VMware responded to the Speculative Execution security issues with KB 52245, which I highly recommend you read and subscribe to.
Intel and AMD released microcode updates that provide hardware support for branch target injection mitigation, for which VMware released KB 52085. The KB provides instructions on how to enable Hypervisor-Assisted Guest Mitigation, which is required in order to use the new hardware feature within VMs. The KB also provides manual verification instructions for the following:
- ESXi – Verify that the microcode included in ESXi patch has been applied
- VM – Verify that the VM is seeing the new microcode ( VM needs to on HWv9 or newer)
ALERT: VMware also released KB 52345, which rollback the recently issued security patch recommendation (ESXi650-201801402-BG, ESXi600-201801402-BG, and ESXi550-201801401-BG). The rollback is due to customers complaining of unexpected reboot after applying Intel’s initial microcode patch on Intel Haswell and Broadwell processors.
- VMware provides some manual workarounds for these specific processors that have already been patched.
- For ESXi hosts that have not yet applied one of the patches, VMware recommends not doing so at this time and using the patches listed in VMSA-2018-0002 instead.
That is a lot of information to take in, and the rollbacks just add complexity to IT teams who are trying to secure their customer’s data.
However, to make things a bit easier we have William Lam to the rescue who wrote an excellent script that automates the verification for both the ESXi and Virtual Machines. as well as provide ESXi microcode versions.
The PowerCLI script is called VerifyESXiMicrocodePatch.ps1 and performs the following validations
- Verify that VM’s are running at least HWv9
- Verify that VM completed a power cycle to see the new CPU features
- Verify ESXi microcode has been applied
- Verify that one of the three new CPU features are exposed to the ESXi host.
- Verify if CPU is affected by Intel Sighting
- Show the current Microcode version for each ESXi (requires SSH to be enabled)
All the detail regarding the script can be read on virtuallyGhetto here.
Although not nearly as thorough as William’s Script, with RuneCast Analyzer latest 1.6.7 you can detect ESXi hosts that are not protected and patched against these vulnerabilities.
Runecast Analyzer enables you to scan and detect the CPU chip vulnerabilities on your VMware infrastructure. It detects which ESXi hosts are not protected and advise on how to patch them against such security vulnerabilities. This solution is continuously updated as new guidance from VMware is released.