Updates added to the blog
Unless you have been on a very long vacation without internet access (The BEST type of vacation!) you should know of the Spectre (CVE-2017-5753 & CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities that affect nearly every computer chip manufactured in the last 20 years.
I am not going to provide any specific details on these vulnerabilities since there are more than enough material already available, which you can read here:
I do however want to provide more detailed information related to VMware specifically, as well as different ways on how you can verify what in your VMware environment is vulnerable to these exploits:
VMware responded to the Speculative Execution security issues with KB 52245, which I highly recommend you read and subscribe to.
Intel and AMD released microcode updates that provide hardware support for branch target injection mitigation, for which VMware released KB 52085. The KB provides instructions on how to enable Hypervisor-Assisted Guest Mitigation, which is required in order to use the new hardware feature within VMs. The KB also provides manual verification instructions for the following:
- ESXi – Verify that the microcode included in ESXi patch has been applied
- VM – Verify that the VM is seeing the new microcode ( VM needs to on HWv9 or newer)
ALERT: VMware also released KB 52345, which rollback the recently issued security patch recommendation (ESXi650-201801402-BG, ESXi600-201801402-BG, and ESXi550-201801401-BG). The rollback is due to customers complaining of unexpected reboot after applying Intel’s initial microcode patch on Intel Haswell and Broadwell processors.
UPDATE 01.24.18: VMware updated KB 52345 to include updated list of all Intel CPUs affected by Intel Sightings
- VMware provides some manual workarounds for these specific processors that have already been patched.
- For ESXi hosts that have not yet applied one of the patches, VMware recommends not doing so at this time and using the patches listed in VMSA-2018-0002 instead.
That is a lot of information to take in, and the rollbacks just add complexity to IT teams who are trying to secure their customer’s data.
UPDATE 02.15.18: VMware security advisory for VMware Virtual appliance mitigation available here
UPDATE 03.20.18: VMware provided an update to KB 52085 for patching the vSphere vCenter server to latest 6.5U1g, 6.0U3e, 5.5U3h and Hypervisor to ESXi 6.5: ESXi650-201803401-BG* and ESXi650-201803402-BG**, ESXi 6.0: ESXi600-201803401-BG* and ESXi600-201803402-BG**, ESXi 5.5: ESXi550-201803401-BG* and ESXi550-201803402-BG**.
* = Framework to allow guest OSes to utilize the new speculative-execution control mechanisms
** = Applies the microcode updates
Option 1: (The best of the best)
However, to make things a bit easier we have William Lam to the rescue who wrote an excellent script that automates the verification for both the ESXi and Virtual Machines. as well as provide ESXi microcode versions.
The PowerCLI script is called VerifyESXiMicrocodePatch.ps1 and performs the following validations
- Verify that VM’s are running at least HWv9
- Verify that VM completed a power cycle to see the new CPU features
- Verify ESXi microcode has been applied
- Verify that one of the three new CPU features are exposed to the ESXi host.
- Verify if CPU is affected by Intel Sighting
- Show the current Microcode version for each ESXi (requires SSH to be enabled)
- UPDATE 01.24.18: Script was updated to validated the affected CPUs
All the detail regarding the script can be read on virtuallyGhetto here.
Option 2: (Acceptable, but limited)
Although not nearly as thorough as William’s Script, with RuneCast Analyzer latest 1.6.7 you can detect ESXi hosts that are not protected and patched against these vulnerabilities.
Runecast Analyzer enables you to scan and detect the CPU chip vulnerabilities on your VMware infrastructure. It detects which ESXi hosts are not protected and advise on how to patch them against such security vulnerabilities. This solution is continuously updated as new guidance from VMware is released.
Currently only supports VMSA-2018-0002.2
Update 01.26.18: New 1.6.8 release updated to support VMSA-2018-0002.3
Update 01.21.18: Option 3: (Coolest of them all)
This option does not only show what in your VMware environment is impacted but it will also assess the performance impact of both Spectre and Meltdown patches using vRealize Operations Manager (vROPS). We already know the patches will impact the speculative execution capabilities of the processor, which will lead to higher CPU utilization in your cluster due to each OS slower processing times.
The questions that come up then before patching:
- Will I have enough resources available in my cluster to support these patches?
- How will my ESXi host resources be impacted?
- Should I roll out the patches in stages or all at once?
These are hard questions that are not easy to answer, or is it?
If you are using vROPS 6.6.x Advanced or Enterprise, which allows the creation of custom dashboards, then you can download and install the Spectre Meltdown Specific Dashboard kit created by Sunny Dua. The download is available here.
The Dashboard kit consists of 3 Dashboards:
- Performance monitoring dashboard
- Track resources utilization of your environment and will provide valuable information on the impact of patching as it relates to your Clusters, ESXi hosts VMs.
- VM Patching dashboard
- Provides views showing which VMs are running idle and can potentially be patched first since it should not have a large overall impact on performance. Evaluate the resource utilization with the performance monitoring dashboard after the idle VM’s are upgraded, and then make a decision to continue patching or first add additional resources to the cluster.
- vSphere Patching dashboard
- Shows the ESXi hosts that have been patched and also affected by Intel Sighting.
- Shows the ESXi hosts that still needs to be patched.
- Show the Virtual Machines that required Hardware versions upgrade since the recommended version is 9 or higher.
- I recommend keeping an eye on VMware’s advisory site since this problem is still ongoing and the build numbers will change as new patches are released. This will then required that you make a manual update in the filters of this dashboard
The Performance monitoring dashboard can also be accomplished by just using the default dashboards available in vROPS standard, which means you can download the evaluation version and have that piece of mind that you can track the performance impact while going through these tough times.