Executive Summary

Summary
TitleVMware vSphere, Workstation, and Fusion updates enable Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM vulnerability.
Informations
NameVMSA-2018-0020First vendor Publication2018-08-14
VendorVMwareLast vendor Modification2018-08-14
Severity (Vendor) N/ARevisionN/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:N/C:C/I:N/A:N)
Cvss Base Score4.7Attack RangeLocal
Cvss Impact Score6.9Attack ComplexityMedium
Cvss Expoit Score3.4AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

vCenter Server, ESXi, Workstation, and Fusion updates include

Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM. This

issue may allow a malicious VM running on a given CPU core to

effectively read the hypervisor’s or another VM’s privileged

information that resides sequentially or concurrently in the same

core’s L1 Data cache.

CVE-2018-3646 has two currently known attack vectors which will be

referred to as "Sequential-Context" and "Concurrent-Context."

Attack Vector Summary

Sequential-context attack vector: a malicious VM can potentially

infer recently accessed L1 data of a previous context (hypervisor

thread or other VM thread) on either logical processor of a processor

core.

Concurrent-context attack vector: a malicious VM can potentially

infer recently accessed L1 data of a concurrently executing context

(hypervisor thread or other VM thread) on the other logical processor

of the Hyper-Threading-enabled processor core.

Mitigation Summary

The Sequential-context attack vector is mitigated by a vSphere

update to the product versions listed in table below. This mitigation

is dependent on Intel microcode updates (provided in separate ESXi

patches for most Intel hardware platforms) also listed in the table

below. This mitigation is enabled by default and does not impose a

significant performance impact.

The Concurrent-context attack vector is mitigated through

enablement of a new feature known as the ESXi Side-Channel-Aware

Scheduler. This feature may impose a non-trivial performance impact

and is not enabled by default.

Column 5 of the following table lists the action required to

remediate the vulnerability in each release, if a solution is

available.

Original Source

Url : http://www.vmware.com/security/advisories/VMSA-2018-0020.html

CWE : Common Weakness Enumeration

%idName
100 %CWE-200Information Exposure

CPE : Common Platform Enumeration

TypeDescriptionCount
Hardware112
Hardware169
Hardware168
Hardware7
Hardware3
Hardware2
Hardware1
Hardware1

Nessus® Vulnerability Scanner

DateDescription
2018-10-31Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201810-06.nasl - Type : ACT_GATHER_INFO
2018-10-31Name : The remote host is missing a macOS or Mac OS X security update that fixes mul...
File : macosx_SecUpd2018-005.nasl - Type : ACT_GATHER_INFO
2018-10-31Name : The remote host is missing a macOS security update that fixes multiple vulner...
File : macosx_SecUpd_10_13_6_2018-002.nasl - Type : ACT_GATHER_INFO
2018-10-26Name : The remote EulerOS Virtualization host is missing multiple security updates.
File : EulerOS_SA-2018-1323.nasl - Type : ACT_GATHER_INFO
2018-10-26Name : The remote EulerOS Virtualization host is missing multiple security updates.
File : EulerOS_SA-2018-1345.nasl - Type : ACT_GATHER_INFO
2018-10-26Name : The remote EulerOS Virtualization host is missing a security update.
File : EulerOS_SA-2018-1350.nasl - Type : ACT_GATHER_INFO
2018-10-18Name : The remote host is missing a macOS update that fixes multiple security vulner...
File : macos_10_14.nasl - Type : ACT_GATHER_INFO
2018-09-17Name : The remote Debian host is missing a security update.
File : debian_DLA-1506.nasl - Type : ACT_GATHER_INFO
2018-09-04Name : The remote EulerOS host is missing multiple security updates.
File : EulerOS_SA-2018-1278.nasl - Type : ACT_GATHER_INFO
2018-09-04Name : The remote EulerOS host is missing multiple security updates.
File : EulerOS_SA-2018-1279.nasl - Type : ACT_GATHER_INFO
2018-09-04Name : The remote Fedora host is missing a security update.
File : fedora_2018-915602df63.nasl - Type : ACT_GATHER_INFO
2018-08-31Name : The remote Virtuozzo host is missing multiple security updates.
File : Virtuozzo_VZA-2018-063.nasl - Type : ACT_GATHER_INFO
2018-08-29Name : The remote Debian host is missing a security update.
File : debian_DLA-1481.nasl - Type : ACT_GATHER_INFO
2018-08-23Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_2310b814a65211e8805ba4badb2f4699.nasl - Type : ACT_GATHER_INFO
2018-08-20Name : The remote Debian host is missing a security-related update.
File : debian_DSA-4279.nasl - Type : ACT_GATHER_INFO
2018-08-20Name : The remote Virtuozzo host is missing multiple security updates.
File : Virtuozzo_VZA-2018-055.nasl - Type : ACT_GATHER_INFO
2018-08-17Name : The remote Debian host is missing a security-related update.
File : debian_DSA-4274.nasl - Type : ACT_GATHER_INFO
2018-08-16Name : The remote Fedora host is missing one or more security updates.
File : fedora_2018-1c80fea1cd.nasl - Type : ACT_GATHER_INFO
2018-08-16Name : A server virtualization platform installed on the remote host is affected by ...
File : citrix_xenserver_CTX236548.nasl - Type : ACT_GATHER_INFO
2018-08-15Name : The remote Amazon Linux 2 host is missing a security update.
File : al2_ALAS-2018-1058.nasl - Type : ACT_GATHER_INFO
2018-08-15Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2018-1058.nasl - Type : ACT_GATHER_INFO
2018-08-15Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-2384.nasl - Type : ACT_GATHER_INFO
2018-08-15Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-2390.nasl - Type : ACT_GATHER_INFO
2018-08-15Name : A virtualization application installed on the remote macOS or Mac OS X host i...
File : macosx_fusion_vmsa_2018_0020.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
DateInformations
2018-08-17 00:20:52
  • Multiple Updates
2018-08-16 21:21:19
  • Multiple Updates
2018-08-14 21:19:26
  • First insertion