VMware Cloud Community
pkohn
Contributor
Contributor
‎03-18-2018 05:39 AM
Jump to solution

ESXi 5.5 Cluster fully patched / Windows VMs still vulnerable (Get-SpeculationControlSettings & Inspectre)

Hi VMware Community,

I have opened a VMware Support request, but have got no qualified answer in a week, so perhaps someone here in the community can help me.

We have a fully patched Environment to mitigate the meltdown & spectre vulnerabilities. But all testing tools are saying that the systems are attackable, and VMware Support told me that they are

not responsible for the Windows VMs. But from the Microsoft side all things are done, patches installed and the needed registry values for Windows Servers are there.

The Technical Details of the Environment:

  • The customer has a 2-node VMware ESXi 5.5 Cluster 
  • Host-Patchlevel is ESXi 5.5 U3h (Build 7618464)
  • Server-Hardware = Fujitsu Primergy RX 200 S8
  • Bios Updates are installed V4.6.5.4 - R1.18.0
    Bios-Changelog:
    BIOS V4.6.5.4 R1.18.0 for D3302-A1x (12.02.2018)
    Update CPU Microcode to ID=0000042C
    Fixed side-channel analysis security flaws - known as Spectre & Meltdown
  • Windows VMs patched (Microsoft Updates installed)
  • VMs (Windows Server 2008 R2) rebooted (Full Powercycle)   :

 

Issue:

Microsoft PowerShell Query "Get-SpeculationControlSettings" Shows inside VMs that Hardware Support is not present. 

https://support.microsoft.com/de-de/help/4074629/understanding-the-output-of-get-speculationcontrols...

Output of PowerShell Script: "Hardware support for branch target injection mitigation is present: False"

 

BTIHardwarePresent             : False  

BTIWindowsSupportPresent       : True  

BTIWindowsSupportEnabled       : False  

BTIDisabledBySystemPolicy      : False  

BTIDisabledByNoHardwareSupport : True  

KVAShadowRequired              : True  

KVAShadowWindowsSupportPresent : True  

KVAShadowWindowsSupportEnabled : True 

KVAShadowPcidEnabled           : False

 

Question:

How can check that Meltdown & Spectre Mitigation is correctly configured on the VMware side?

The PowerCLI Script from:

https://www.virtuallyghetto.com/2018/01/verify-hypervisor-assisted-guest-mitigation-spectre-patches-...

shows that Meltdown/Spectre mitigation is not working but I know that this is not an official VMware script, so is there an official solution to query the mitigation status?

Output of Script for all VMs = HypervisorAssistedGuestAffected  = True

I further checked the VMware KB article KB52085

Confirmation of Correct Operation

To confirm a host has both patched microcode and patched VMware hypervisor, use the following steps:

  1. Power on a Virtual Machine which is configured to use Virtual Hardware Version 9 or later.
  2. Examine the vmware.log file for that VM and look for one of the following entries:
    • “Capability Found: cpuid.IBRS”
    • “Capability Found: cpuid.IBPB”
    • “Capabliity Found: cpuid.STIBP”
  3. Any of the above log entires indicate that both the CPU microcode and hypervisor are properly updated.

1. = VM Hardware Version is = 10

2. = VMware.log checks no entries like that are there

I would really appreciate any help.

Regards Philipp

“If you expect great things of yourself and demand little of others, you’ll keep resentment far away.” -Confucius
Tags (1)
0 Kudos
1 Solution

Accepted Solutions
a_p_
Leadership
Leadership
‎03-20-2018 12:24 PM
Jump to solution

I agree, the documentation is kind of confusing.

Anyway, new patches have been released today, see VMSA-2018-0004.3

André

View solution in original post

0 Kudos
12 Replies
pkohn
Contributor
Contributor
‎03-18-2018 05:53 AM
Jump to solution

Output from "InSpectre" Release #7 on a VM (WIN 2008 R2) from the Cluster:

Spectre & Meltdown Vulnerability and Performance Status

System is Meltdown protected: YES
System is Spectre protected: NO!
Performance: SLOWER
CPUID: 306E4

This 64-bit OS on Intel Processor:

OS is Meltdown aware:  Yes
OS is Spectre aware:  Yes
OS Meltdown data:  0x0033
OS Spectre data:  0x0004
PCID/INVPCID support:  Yes / No
CPU microcode updated: No
CPU is meltdown vulnerable: Yes

This system's processor identification:
Intel Xeon CPU E5-2630 v2 @ 2.60GHz

Full Output of the Microsoft PowerShell Test Module from the same VM:

Speculation control settings for CVE-2017-5715 [branch target injection]
For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: False [not required for security]

Suggested actions

* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.


BTIHardwarePresent             : False
BTIWindowsSupportPresent       : True
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired              : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled           : False

“If you expect great things of yourself and demand little of others, you’ll keep resentment far away.” -Confucius
0 Kudos
bluefirestorm
Champion
Champion
‎03-18-2018 06:23 AM
Jump to solution

In case you had forgotten to remove "Intel Sightings" KB52345 CPUID leaf 7 EDX register mask from the /etc/vmware/config when the patches were recalled; it has to be REMOVED. It masks out IBRS, IBPB, and STIBP from the VM.

The Get-SpeculationControlSettings KVAShadowPcidEnabled is "FALSE" because the CPU is Ivy Bridge. Haswell and later have the INVPCID instruction. Only certain versions of Windows make use of INVPCID instruction.

https://kb.vmware.com/s/article/52345

cpuid.7.edx = "----:00--:----:----:----:----:----:----"

0 Kudos
pkohn
Contributor
Contributor
‎03-18-2018 06:43 AM
Jump to solution

Hi bluefirestorm,

thx for your fast Response but the only entries in the config file on both hosts are:

HOST1 /etc/VMware/config

libdir = "/usr/lib/vmware"
authd.proxy.nfc = "vmware-hostd:ha-nfc"
authd.proxy.nfcssl = "vmware-hostd:ha-nfcssl"
authd.proxy.vpxa-nfcssl = "vmware-vpxa:vpxa-nfcssl"
authd.proxy.vpxa-nfc = "vmware-vpxa:vpxa-nfc"
authd.fullpath = "/sbin/authd"

HOST2 /etc/VMware/config

libdir = "/usr/lib/vmware"
authd.proxy.nfc = "vmware-hostd:ha-nfc"
authd.proxy.nfcssl = "vmware-hostd:ha-nfcssl"
authd.proxy.vpxa-nfcssl = "vmware-vpxa:vpxa-nfcssl"
authd.proxy.vpxa-nfc = "vmware-vpxa:vpxa-nfc"
authd.fullpath = "/sbin/authd"

btw: I didn't set the entry (cpuid.7.edx = "----:00--:----:----:----:----:----:----") manually because we didn't patch the system in januar with the faulty microcode updates.

Regards Philipp

“If you expect great things of yourself and demand little of others, you’ll keep resentment far away.” -Confucius
0 Kudos
bluefirestorm
Champion
Champion
‎03-18-2018 07:03 AM
Jump to solution

One more thing to check is the hostCPUID entry in the vmware.log of the VM, leaf 7, EDX register.

vmx| I125: hostCPUID level 00000007, 0: 0x00000000 0x000027ab 0x00000000 0x00000000

It should show as 0x0C000000 if the CPU has the microcode patches instead of all hexadecimal zeroes for bit 26-27 for the 3 Spectre microcode updates. I am not 100% sure, but I think the hostCPUID dump is unfiltered (i.e. it just dumps whatever the CPUID instruction returns); whereas the "Capability Found" entries is an indicator that the hypervisor is looking for those features based on the CPUID instruction queries. So if it is indeed unfiltered, this can confirm whether the firmware update on the ESXi host itself is successful.

I haven't seen any official announcement from VMware with regards to ESXi Spectre patches now that Intel has issued new working microcode for many different generations of CPUs starting from February. It might be the case that the ESXi version 5.5 update H is not exposing those 3 microcode features. So you might have to wait for an official VMware announcement with regards to ESXi patches for Spectre.

Just an FYI: On a consumer laptop of mine, I used the microcode downloaded from the Microsoft catalog (not a firmware update from the laptop manufacturer, the manufacturer did not list the laptop model I have as pending firmware updates for Spectre) for a Skylake CPU, and I get "all green" with the Get-SpeculationControlSettings Powershell with Workstation Pro 12.5.9 on Windows 10 host with a Windows 10 VM.

0 Kudos
pkohn
Contributor
Contributor
‎03-18-2018 10:17 AM
Jump to solution

Hi Bluestorm.

I thought the new ESXi Update VMware ESXi 5.5, Patch Release ESXi550-201801301-BG - Updates esx-base VIB (52406)  includes the spectre mitigations, or do I misunderstand the following to quotes.

VMware Knowledge Base

This ESXi patch provides hypervisor-specific mitigations for CVE-2017-5753 and CVE-2017-5715. For more details, see VMware Security Advisory VMSA-2018-0002

VMSA-2018-0002.3

*ESXi550-201801301-BG does NOT include the unstable microcode mentioned in KB52345 and mitigates both CVE-2017-5753 and CVE-2017-5715.

VMware.log from a VM of the Cluster.

2018-03-15T13:41:22.663Z| vmx| I120: Log for VMware ESX pid=308852 version=5.5.0 build=build-7618464 option=Release

2018-03-15T13:41:22.663Z| vmx| I120: The process is 64-bit.

2018-03-15T13:41:22.663Z| vmx| I120: Host codepage=UTF-8 encoding=UTF-8

2018-03-15T13:41:22.663Z| vmx| I120: Host is VMkernel 5.5.0

2018-03-15T13:41:22.655Z| vmx| I120: VTHREAD initialize main thread 0 "vmx" pid 308852

2018-03-15T13:41:22.655Z| vmx| I120: Msg_SetLocaleEx: HostLocale=UTF-8 UserLocale=NULL

2018-03-15T13:41:22.656Z| vmx| I120: ConfigDB: Failed to load /usr/lib/vmware/config

2018-03-15T13:41:22.656Z| vmx| I120: ConfigDB: Failed to load ~/.vmware/config

2018-03-15T13:41:22.656Z| vmx| I120: OBJLIB-LIB: Objlib initialized.

2018-03-15T13:41:22.657Z| vmx| I120: PREF Optional preferences file not found at /usr/lib/vmware/config. Using default values.

2018-03-15T13:41:22.657Z| vmx| I120: PREF Optional preferences file not found at //.vmware/config. Using default values.

2018-03-15T13:41:22.657Z| vmx| I120: PREF Failed to load user preferences.

2018-03-15T13:41:22.663Z| vmx| I120: Hostname=esxi01.company.intra

2018-03-15T13:41:22.663Z| vmx| I120: IP=127.0.0.1 (lo0)

2018-03-15T13:41:22.663Z| vmx| I120: IP=10.1.11.10 (vmk0)

2018-03-15T13:41:22.663Z| vmx| I120: IP=192.168.1.10 (vmk1)

2018-03-15T13:41:22.663Z| vmx| I120: IP=192.168.1.11 (vmk2)

2018-03-15T13:41:22.663Z| vmx| I120: vmkernel build type: release

2018-03-15T13:41:22.663Z| vmx| I120: System uptime 100022516293 us

2018-03-15T13:41:22.663Z| vmx| I120: Command line: "/bin/vmx" "-s" "sched.group=host/user" "-#" "product=2;name=VMware ESX;version=5.5.0;buildnumber=7618464;licensename=VMware ESX Server;licenseversion=5.0;" "-@" "duplex=3;msgs=ui" "/vmfs/volumes/55098883-94a1f357-8c64-a0369f642eec/S002/S002.vmx"

2018-03-15T13:41:22.663Z| vmx| I120: Environment: "USER=root" "HOME=/" "SHELL=/bin/sh" "LANG=C"

2018-03-15T13:41:22.663Z| vmx| I120: Msg_SetLocaleEx: HostLocale=UTF-8 UserLocale=NULL

2018-03-15T13:41:22.663Z| vmx| I120: Duplex socket: 3

2018-03-15T13:41:22.663Z| vmx| W110: CnxNeedScrub: Time to scrub dir /var/run/vmware

2018-03-15T13:41:22.691Z| vmx| I120: Connecting 'ui' to fd '3' with user '(null)'

2018-03-15T13:41:22.692Z| vmx| I120: VmdbAddConnection: cnxPath=/db/connection/#1/, cnxIx=1

2018-03-15T13:41:22.692Z| vmx| I120: /vmfs/volumes/55098883-94a1f357-8c64-a0369f642eec/S002/S002.vmx: Setup symlink /var/run/vmware/841361a48ddd381b3474398e2ca00c61 -> /var/run/vmware/root_0/1521121282663586_308852

2018-03-15T13:41:22.692Z| vmx| I120: Vix: [308852 mainDispatch.c:463]: VMAutomation: Initializing VMAutomation.

2018-03-15T13:41:22.692Z| vmx| I120: Vix: [308852 mainDispatch.c:760]: VMAutomationOpenListenerSocket() listening

2018-03-15T13:41:22.696Z| vmx| I120: Vix: [308852 mainDispatch.c:3964]: VMAutomation_ReportPowerOpFinished: statevar=0, newAppState=1870, success=1 additionalError=0

2018-03-15T13:41:22.696Z| vmx| I120: Transitioned vmx/execState/val to poweredOff

2018-03-15T13:41:22.696Z| vmx| I120: Vix: [308852 mainDispatch.c:3964]: VMAutomation_ReportPowerOpFinished: statevar=1, newAppState=1873, success=1 additionalError=0

2018-03-15T13:41:22.696Z| vmx| I120: Vix: [308852 mainDispatch.c:3964]: VMAutomation_ReportPowerOpFinished: statevar=2, newAppState=1877, success=1 additionalError=0

2018-03-15T13:41:22.696Z| vmx| I120: Vix: [308852 mainDispatch.c:3964]: VMAutomation_ReportPowerOpFinished: statevar=3, newAppState=1881, success=1 additionalError=0

2018-03-15T13:41:22.697Z| vmx| I120: FeatureCompat: No EVC masks.

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID vendor: GenuineIntel

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID family: 0x6 model: 0x3e stepping: 0x4

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID codename: Ivy Bridge EP/EN/EX

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID name: Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000000, 0: 0x0000000d 0x756e6547 0x6c65746e 0x49656e69

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000001, 0: 0x000306e4 0x00200800 0x77bee3ff 0xbfebfbff

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000002, 0: 0x76036301 0x00f0b2ff 0x00000000 0x00ca0000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000003, 0: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000004, 0: 0x3c004121 0x01c0003f 0x0000003f 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000004, 1: 0x3c004122 0x01c0003f 0x0000003f 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000004, 2: 0x3c004143 0x01c0003f 0x000001ff 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000004, 3: 0x3c07c163 0x04c0003f 0x00002fff 0x00000006

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000004, 4: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000005, 0: 0x00000040 0x00000040 0x00000003 0x00001120

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000006, 0: 0x00000077 0x00000002 0x00000009 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000007, 0: 0x00000000 0x00000281 0x00000000 0x0c000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000008, 0: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000009, 0: 0x00000001 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000a, 0: 0x07300403 0x00000000 0x00000000 0x00000603

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000b, 0: 0x00000001 0x00000002 0x00000100 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000b, 1: 0x00000005 0x0000000c 0x00000201 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000b, 2: 0x00000000 0x00000000 0x00000002 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000c, 0: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 0: 0x00000007 0x00000240 0x00000340 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1: 0x00000001 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2: 0x00000100 0x00000240 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 4: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 5: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 6: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 7: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 8: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 9: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, a: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, b: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, c: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, d: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, e: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, f: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 10: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 11: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 12: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 13: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 14: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 15: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 16: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 17: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 18: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 19: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1a: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1b: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1c: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1d: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1e: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1f: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 20: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 21: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 22: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 23: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 24: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 25: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 26: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 27: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 28: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 29: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2a: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2b: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2c: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2d: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2e: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2f: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 30: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 31: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 32: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 33: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 34: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 35: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 36: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 37: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 38: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 39: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3a: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3b: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3c: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3d: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3e: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3f: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000000, 0: 0x80000008 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000001, 0: 0x00000000 0x00000000 0x00000001 0x2c100800

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000002, 0: 0x20202020 0x6e492020 0x286c6574 0x58202952

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000003, 0: 0x286e6f65 0x43202952 0x45205550 0x36322d35

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000004, 0: 0x76203033 0x20402032 0x30362e32 0x007a4847

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000005, 0: 0x00000000 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000006, 0: 0x00000000 0x00000000 0x01006040 0x00000000

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000007, 0: 0x00000000 0x00000000 0x00000000 0x00000100

2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000008, 0: 0x0000302e 0x00000000 0x00000000 0x00000000

2018-03-15T13:41:22.699Z| vmx| I120: CPUID differences from hostCPUID.

Regards Philipp

“If you expect great things of yourself and demand little of others, you’ll keep resentment far away.” -Confucius
0 Kudos
bluefirestorm
Champion
Champion
‎03-18-2018 09:59 PM
Jump to solution

From the log you pasted it looks that the CPU has the microcode updates for mitigation against Spectre as the EDX register output value is 0x0c000000 (which means bit 26-27 are values are 1) and there are no EVC masks that would mask them out.

CPUID leaf (EAX in)
ECX in
EAX out
EBX out
ECX out
EDX out
0000000700x000000000x000002810x000000000x0c000000

So it is a matter of the hypervisor (in your case ESXi 5.5) exposing the IBRS, IBPB, STIBP to the VM. Maybe it is U3h has the patches from U3g removed. It is unclear from the KB whether that was the case. You may have to ask VMware for a definitive answer.

0 Kudos
pkohn
Contributor
Contributor
‎03-18-2018 11:45 PM
Jump to solution

Hi bluefirestorm,

thank you for you support it's greatly appreciated.

Maybe it is U3h has the patches from U3g removed. It is unclear from the KB whether that was the case.

Perhaps I am wrong but VMware statement in the article in my understanding is that spectre mitigations should be included.

But I had the same discussion with an german community colleague yesterday. (CVE-2017-5753 and CVE-2017-5715 = https://meltdownattack.com/#faq-cve-spectre)

VMSA-2018-0002.3

ESXi550-201801301-BG does NOT include the unstable microcode mentioned in KB52345 and mitigates both CVE-2017-5753 and CVE-2017-5715

@VMware:

I hate this Situation really, we need a clear and transparent communication. and we need a official PowerCLI or alternative to test the mitigation status.

Our customers trust us and we trust in you, so please do your Job and inform us in a proper way!

Regards Philipp

“If you expect great things of yourself and demand little of others, you’ll keep resentment far away.” -Confucius
0 Kudos
marvinp
Contributor
Contributor
‎03-20-2018 02:52 AM
Jump to solution

Hi, i also have the Same Issue. Answer fromm Support is that the 5.5u3h Patch does not include the hypervisor assisted guestos mitigation.

It was included in the 5.5u3g patch which was pulled due to instable Microcode stuff. I asked about when the patch will be rereleased with hypervisor assisted guestos mitigation and the answer is : no ETA yet. Very dissatisfying. Smiley Sad

0 Kudos
pkohn
Contributor
Contributor
‎03-20-2018 03:05 AM
Jump to solution

Hi marvinp,

thank you for your respone, ok sounds plausible, but then I don't understand the "3h" Patchnotes or even why this patch was released...

If the spectre mitigation are not included then the notes are misleading or in other words totally wrong :smileyconfused:.

VMware Knowledge Base

This ESXi patch provides hypervisor-specific mitigations for CVE-2017-5753 and CVE-2017-5715. For more details, see VMware Security Advisory VMSA-2018-0002

.

Regards Philipp

“If you expect great things of yourself and demand little of others, you’ll keep resentment far away.” -Confucius
0 Kudos
a_p_
Leadership
Leadership
‎03-20-2018 12:24 PM
Jump to solution

I agree, the documentation is kind of confusing.

Anyway, new patches have been released today, see VMSA-2018-0004.3

André

0 Kudos
pkohn
Contributor
Contributor
‎03-20-2018 02:01 PM
Jump to solution

Hi a.p.,

thx for your answer, I will try out this patch asap.

Regards Philipp

“If you expect great things of yourself and demand little of others, you’ll keep resentment far away.” -Confucius
0 Kudos
pkohn
Contributor
Contributor
‎03-20-2018 02:39 PM
Jump to solution

Hi André,

installed the Patches, Spectre Mitigations checks are all green inside the VMs.

Thx for your Support.

Regards Philipp

“If you expect great things of yourself and demand little of others, you’ll keep resentment far away.” -Confucius
0 Kudos