Jan 11

Spectre & Meltdown: Patch Virtual Machine (Guest OS) too!

Hello, I will not explain to you the implications what Specter or Meltdown on a security level. Basically, there are a lot of articles that you can read with many different opinions… Especially about if yes or no you should patch your Virtual Machine! VMware provides several versions of the microcode for Intel and AMD through the ESXi patch, so applying this patch you are covered in this aspect (Guest OS patches list). ESXi patch will also update the CPU microcode but I would play safe and patch both host and guest!

 

Microsoft has mandated that antivirus editors set a reg key in their software, this will show which vendors have updated their software and those who have not. Apparently, current antivirus engines won’t stop Meltdown or Spectre. If the reg key has not been set and you’re running antivirus software other than Microsoft’s, you will not receive January updates or subsequent updates. Firmware/microcode will be updated by hardware manufacturers and, therefore, should be installed.

A strategy you can employ is to make a snapshot first, then install patches on a few servers and see what happens. Then if all goes well continue to roll out patches. The overarching theme is to patch now and continue patching, which means keep patching until the current afflicted hardware is replaced with CPUs that are not susceptible to these two flaws (machines protection guide).

Only root can login into VMware appliance as there are no other users. Once you’ve logged in as root you don’t need to exploit anything. To protect neighbor VMs from getting into each other’s memory it is sufficient to patch the host. But Google showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.

VMware announced that Operating systems (OS), virtual machines, virtual appliances, hypervisors, server firmware, and CPU microcode must all be patched or upgraded for effective mitigation of these known variants. General purpose operating systems are adding several mitigations for them. Most operating system mitigations can be applied to unpatched CPUs (and hypervisors) and will significantly reduce the attack surface. VMware products that run on Windows might be affected if Windows has not been patched with appropriate updates (others OS such as Linux, Mace etc. too). VMware recommends that customers contact Microsoft for resolution.

In other multi-tenant hosting environments, a virtual machine could read the memory of the host operating system or the memory of other guest operating systems running on the same physical machine. Microsoft announced customers using Windows server operating systems including Windows Server 2008 R2 Service Pack 1, Windows Server 2012 R2, and Windows Server 2016 need to apply firmware and software updates as well as configure protections.

Sources:

Microsoft – ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities – January 10, 2018.
VMware – VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52245) – January 9, 2018.
Google- Today’s CPU vulnerability: what you need to know – January 3, 2018.

 

Security – Spectre and Meltdown overview here!

Ransomware – Protect your Backup Server Guide!

Ransomware: Save your customers with Veeam B&R!

You can learn more about Veeam Backup & Replication v10 here.

 

Advertisement

1 ping

  1. […] Spectre & Meltdown: Patch Virtual Machine (Guest OS) too! […]

Leave a Reply