12 Replies Latest reply on Mar 20, 2018 2:39 PM by pkohn

    ESXi 5.5 Cluster fully patched / Windows VMs still vulnerable (Get-SpeculationControlSettings & Inspectre)

    pkohn Novice

      Hi VMware Community,

       

      I have opened a VMware Support request, but have got no qualified answer in a week, so perhaps someone here in the community can help me.

      We have a fully patched Environment to mitigate the meltdown & spectre vulnerabilities. But all testing tools are saying that the systems are attackable, and VMware Support told me that they are

      not responsible for the Windows VMs. But from the Microsoft side all things are done, patches installed and the needed registry values for Windows Servers are there.

       

       

      The Technical Details of the Environment:

      • The customer has a 2-node VMware ESXi 5.5 Cluster 
      • Host-Patchlevel is ESXi 5.5 U3h (Build 7618464)
      • Server-Hardware = Fujitsu Primergy RX 200 S8
      • Bios Updates are installed V4.6.5.4 - R1.18.0
        Bios-Changelog:
        BIOS V4.6.5.4 R1.18.0 for D3302-A1x (12.02.2018)
        Update CPU Microcode to ID=0000042C
        Fixed side-channel analysis security flaws - known as Spectre & Meltdown
      • Windows VMs patched (Microsoft Updates installed)
      • VMs (Windows Server 2008 R2) rebooted (Full Powercycle)   :

       

      Issue:

      Microsoft PowerShell Query "Get-SpeculationControlSettings" Shows inside VMs that Hardware Support is not present. 

      https://support.microsoft.com/de-de/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell

       

      Output of PowerShell Script: "Hardware support for branch target injection mitigation is present: False"

       

      BTIHardwarePresent             : False  

      BTIWindowsSupportPresent       : True  

      BTIWindowsSupportEnabled       : False  

      BTIDisabledBySystemPolicy      : False  

      BTIDisabledByNoHardwareSupport : True  

      KVAShadowRequired              : True  

      KVAShadowWindowsSupportPresent : True  

      KVAShadowWindowsSupportEnabled : True 

      KVAShadowPcidEnabled           : False

       

       

      Question:

      How can check that Meltdown & Spectre Mitigation is correctly configured on the VMware side?

       

      The PowerCLI Script from:

      https://www.virtuallyghetto.com/2018/01/verify-hypervisor-assisted-guest-mitigation-spectre-patches-using-powercli.html

      shows that Meltdown/Spectre mitigation is not working but I know that this is not an official VMware script, so is there an official solution to query the mitigation status?

       

      Output of Script for all VMs = HypervisorAssistedGuestAffected  = True

       

       

       

       

      I further checked the VMware KB article KB52085

      Confirmation of Correct Operation

      To confirm a host has both patched microcode and patched VMware hypervisor, use the following steps:

      1. Power on a Virtual Machine which is configured to use Virtual Hardware Version 9 or later.
      2. Examine the vmware.log file for that VM and look for one of the following entries:
        • “Capability Found: cpuid.IBRS”
        • “Capability Found: cpuid.IBPB”
        • “Capabliity Found: cpuid.STIBP”
      3. Any of the above log entires indicate that both the CPU microcode and hypervisor are properly updated.

       

      1. = VM Hardware Version is = 10

      2. = VMware.log checks no entries like that are there

       

      I would really appreciate any help.

       

       

       

      Regards Philipp

        • 1. Re: ESXi 5.5 Cluster fully patched / Windows VMs still vulnerable (Get-SpeculationControlSettings & Inspectre)
          pkohn Novice

          Output from "InSpectre" Release #7 on a VM (WIN 2008 R2) from the Cluster:

           

          Spectre & Meltdown Vulnerability and Performance Status

          System is Meltdown protected: YES
          System is Spectre protected: NO!
          Performance: SLOWER
          CPUID: 306E4

           

          This 64-bit OS on Intel Processor:

          OS is Meltdown aware:  Yes
          OS is Spectre aware:  Yes
          OS Meltdown data:  0x0033
          OS Spectre data:  0x0004
          PCID/INVPCID support:  Yes / No
          CPU microcode updated: No
          CPU is meltdown vulnerable: Yes

          This system's processor identification:
          Intel Xeon CPU E5-2630 v2 @ 2.60GHz

          Full Output of the Microsoft PowerShell Test Module from the same VM:

           

          Speculation control settings for CVE-2017-5715 [branch target injection]
          For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629

          Hardware support for branch target injection mitigation is present: False
          Windows OS support for branch target injection mitigation is present: True
          Windows OS support for branch target injection mitigation is enabled: False
          Windows OS support for branch target injection mitigation is disabled by system policy: False
          Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

           

          Speculation control settings for CVE-2017-5754 [rogue data cache load]

           

          Hardware requires kernel VA shadowing: True
          Windows OS support for kernel VA shadow is present: True
          Windows OS support for kernel VA shadow is enabled: True
          Windows OS support for PCID performance optimization is enabled: False [not required for security]

           

          Suggested actions

           

          * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.


          BTIHardwarePresent             : False
          BTIWindowsSupportPresent       : True
          BTIWindowsSupportEnabled       : False
          BTIDisabledBySystemPolicy      : False
          BTIDisabledByNoHardwareSupport : True
          KVAShadowRequired              : True
          KVAShadowWindowsSupportPresent : True
          KVAShadowWindowsSupportEnabled : True
          KVAShadowPcidEnabled           : False

          • 2. Re: ESXi 5.5 Cluster fully patched / Windows VMs still vulnerable (Get-SpeculationControlSettings & Inspectre)
            bluefirestorm Master

            In case you had forgotten to remove "Intel Sightings" KB52345 CPUID leaf 7 EDX register mask from the /etc/vmware/config when the patches were recalled; it has to be REMOVED. It masks out IBRS, IBPB, and STIBP from the VM.

             

            The Get-SpeculationControlSettings KVAShadowPcidEnabled is "FALSE" because the CPU is Ivy Bridge. Haswell and later have the INVPCID instruction. Only certain versions of Windows make use of INVPCID instruction.

             

            https://kb.vmware.com/s/article/52345

             

            cpuid.7.edx = "----:00--:----:----:----:----:----:----"

             

             

            • 3. Re: ESXi 5.5 Cluster fully patched / Windows VMs still vulnerable (Get-SpeculationControlSettings & Inspectre)
              pkohn Novice

              Hi bluefirestorm,

               

              thx for your fast Response but the only entries in the config file on both hosts are:

               

              HOST1 /etc/VMware/config

               

              libdir = "/usr/lib/vmware"
              authd.proxy.nfc = "vmware-hostd:ha-nfc"
              authd.proxy.nfcssl = "vmware-hostd:ha-nfcssl"
              authd.proxy.vpxa-nfcssl = "vmware-vpxa:vpxa-nfcssl"
              authd.proxy.vpxa-nfc = "vmware-vpxa:vpxa-nfc"
              authd.fullpath = "/sbin/authd"

               

               

              HOST2 /etc/VMware/config

               

              libdir = "/usr/lib/vmware"
              authd.proxy.nfc = "vmware-hostd:ha-nfc"
              authd.proxy.nfcssl = "vmware-hostd:ha-nfcssl"
              authd.proxy.vpxa-nfcssl = "vmware-vpxa:vpxa-nfcssl"
              authd.proxy.vpxa-nfc = "vmware-vpxa:vpxa-nfc"
              authd.fullpath = "/sbin/authd"

               

              btw: I didn't set the entry (cpuid.7.edx = "----:00--:----:----:----:----:----:----") manually because we didn't patch the system in januar with the faulty microcode updates.

               

              Regards Philipp

              • 4. Re: ESXi 5.5 Cluster fully patched / Windows VMs still vulnerable (Get-SpeculationControlSettings & Inspectre)
                bluefirestorm Master

                One more thing to check is the hostCPUID entry in the vmware.log of the VM, leaf 7, EDX register.

                 

                vmx| I125: hostCPUID level 00000007, 0: 0x00000000 0x000027ab 0x00000000 0x00000000

                 

                It should show as 0x0C000000 if the CPU has the microcode patches instead of all hexadecimal zeroes for bit 26-27 for the 3 Spectre microcode updates. I am not 100% sure, but I think the hostCPUID dump is unfiltered (i.e. it just dumps whatever the CPUID instruction returns); whereas the "Capability Found" entries is an indicator that the hypervisor is looking for those features based on the CPUID instruction queries. So if it is indeed unfiltered, this can confirm whether the firmware update on the ESXi host itself is successful.

                 

                I haven't seen any official announcement from VMware with regards to ESXi Spectre patches now that Intel has issued new working microcode for many different generations of CPUs starting from February. It might be the case that the ESXi version 5.5 update H is not exposing those 3 microcode features. So you might have to wait for an official VMware announcement with regards to ESXi patches for Spectre.

                 

                Just an FYI: On a consumer laptop of mine, I used the microcode downloaded from the Microsoft catalog (not a firmware update from the laptop manufacturer, the manufacturer did not list the laptop model I have as pending firmware updates for Spectre) for a Skylake CPU, and I get "all green" with the Get-SpeculationControlSettings Powershell with Workstation Pro 12.5.9 on Windows 10 host with a Windows 10 VM.

                • 5. Re: ESXi 5.5 Cluster fully patched / Windows VMs still vulnerable (Get-SpeculationControlSettings & Inspectre)
                  pkohn Novice

                  Hi Bluestorm.

                   

                  I thought the new ESXi Update VMware ESXi 5.5, Patch Release ESXi550-201801301-BG - Updates esx-base VIB (52406)  includes the spectre mitigations, or do I misunderstand the following to quotes.

                   

                  VMware Knowledge Base

                  This ESXi patch provides hypervisor-specific mitigations for CVE-2017-5753 and CVE-2017-5715. For more details, see VMware Security Advisory VMSA-2018-0002

                   

                  VMSA-2018-0002.3

                  *ESXi550-201801301-BG does NOT include the unstable microcode mentioned in KB52345 and mitigates both CVE-2017-5753 and CVE-2017-5715.

                  VMware.log from a VM of the Cluster.

                   

                  2018-03-15T13:41:22.663Z| vmx| I120: Log for VMware ESX pid=308852 version=5.5.0 build=build-7618464 option=Release

                  2018-03-15T13:41:22.663Z| vmx| I120: The process is 64-bit.

                  2018-03-15T13:41:22.663Z| vmx| I120: Host codepage=UTF-8 encoding=UTF-8

                  2018-03-15T13:41:22.663Z| vmx| I120: Host is VMkernel 5.5.0

                  2018-03-15T13:41:22.655Z| vmx| I120: VTHREAD initialize main thread 0 "vmx" pid 308852

                  2018-03-15T13:41:22.655Z| vmx| I120: Msg_SetLocaleEx: HostLocale=UTF-8 UserLocale=NULL

                  2018-03-15T13:41:22.656Z| vmx| I120: ConfigDB: Failed to load /usr/lib/vmware/config

                  2018-03-15T13:41:22.656Z| vmx| I120: ConfigDB: Failed to load ~/.vmware/config

                  2018-03-15T13:41:22.656Z| vmx| I120: OBJLIB-LIB: Objlib initialized.

                  2018-03-15T13:41:22.657Z| vmx| I120: PREF Optional preferences file not found at /usr/lib/vmware/config. Using default values.

                  2018-03-15T13:41:22.657Z| vmx| I120: PREF Optional preferences file not found at //.vmware/config. Using default values.

                  2018-03-15T13:41:22.657Z| vmx| I120: PREF Failed to load user preferences.

                  2018-03-15T13:41:22.663Z| vmx| I120: Hostname=esxi01.company.intra

                  2018-03-15T13:41:22.663Z| vmx| I120: IP=127.0.0.1 (lo0)

                  2018-03-15T13:41:22.663Z| vmx| I120: IP=10.1.11.10 (vmk0)

                  2018-03-15T13:41:22.663Z| vmx| I120: IP=192.168.1.10 (vmk1)

                  2018-03-15T13:41:22.663Z| vmx| I120: IP=192.168.1.11 (vmk2)

                  2018-03-15T13:41:22.663Z| vmx| I120: vmkernel build type: release

                  2018-03-15T13:41:22.663Z| vmx| I120: System uptime 100022516293 us

                  2018-03-15T13:41:22.663Z| vmx| I120: Command line: "/bin/vmx" "-s" "sched.group=host/user" "-#" "product=2;name=VMware ESX;version=5.5.0;buildnumber=7618464;licensename=VMware ESX Server;licenseversion=5.0;" "-@" "duplex=3;msgs=ui" "/vmfs/volumes/55098883-94a1f357-8c64-a0369f642eec/S002/S002.vmx"

                  2018-03-15T13:41:22.663Z| vmx| I120: Environment: "USER=root" "HOME=/" "SHELL=/bin/sh" "LANG=C"

                  2018-03-15T13:41:22.663Z| vmx| I120: Msg_SetLocaleEx: HostLocale=UTF-8 UserLocale=NULL

                  2018-03-15T13:41:22.663Z| vmx| I120: Duplex socket: 3

                  2018-03-15T13:41:22.663Z| vmx| W110: CnxNeedScrub: Time to scrub dir /var/run/vmware

                  2018-03-15T13:41:22.691Z| vmx| I120: Connecting 'ui' to fd '3' with user '(null)'

                  2018-03-15T13:41:22.692Z| vmx| I120: VmdbAddConnection: cnxPath=/db/connection/#1/, cnxIx=1

                  2018-03-15T13:41:22.692Z| vmx| I120: /vmfs/volumes/55098883-94a1f357-8c64-a0369f642eec/S002/S002.vmx: Setup symlink /var/run/vmware/841361a48ddd381b3474398e2ca00c61 -> /var/run/vmware/root_0/1521121282663586_308852

                  2018-03-15T13:41:22.692Z| vmx| I120: Vix: [308852 mainDispatch.c:463]: VMAutomation: Initializing VMAutomation.

                  2018-03-15T13:41:22.692Z| vmx| I120: Vix: [308852 mainDispatch.c:760]: VMAutomationOpenListenerSocket() listening

                  2018-03-15T13:41:22.696Z| vmx| I120: Vix: [308852 mainDispatch.c:3964]: VMAutomation_ReportPowerOpFinished: statevar=0, newAppState=1870, success=1 additionalError=0

                  2018-03-15T13:41:22.696Z| vmx| I120: Transitioned vmx/execState/val to poweredOff

                  2018-03-15T13:41:22.696Z| vmx| I120: Vix: [308852 mainDispatch.c:3964]: VMAutomation_ReportPowerOpFinished: statevar=1, newAppState=1873, success=1 additionalError=0

                  2018-03-15T13:41:22.696Z| vmx| I120: Vix: [308852 mainDispatch.c:3964]: VMAutomation_ReportPowerOpFinished: statevar=2, newAppState=1877, success=1 additionalError=0

                  2018-03-15T13:41:22.696Z| vmx| I120: Vix: [308852 mainDispatch.c:3964]: VMAutomation_ReportPowerOpFinished: statevar=3, newAppState=1881, success=1 additionalError=0

                  2018-03-15T13:41:22.697Z| vmx| I120: FeatureCompat: No EVC masks.

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID vendor: GenuineIntel

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID family: 0x6 model: 0x3e stepping: 0x4

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID codename: Ivy Bridge EP/EN/EX

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID name: Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000000, 0: 0x0000000d 0x756e6547 0x6c65746e 0x49656e69

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000001, 0: 0x000306e4 0x00200800 0x77bee3ff 0xbfebfbff

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000002, 0: 0x76036301 0x00f0b2ff 0x00000000 0x00ca0000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000003, 0: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000004, 0: 0x3c004121 0x01c0003f 0x0000003f 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000004, 1: 0x3c004122 0x01c0003f 0x0000003f 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000004, 2: 0x3c004143 0x01c0003f 0x000001ff 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000004, 3: 0x3c07c163 0x04c0003f 0x00002fff 0x00000006

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000004, 4: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000005, 0: 0x00000040 0x00000040 0x00000003 0x00001120

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000006, 0: 0x00000077 0x00000002 0x00000009 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000007, 0: 0x00000000 0x00000281 0x00000000 0x0c000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000008, 0: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 00000009, 0: 0x00000001 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000a, 0: 0x07300403 0x00000000 0x00000000 0x00000603

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000b, 0: 0x00000001 0x00000002 0x00000100 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000b, 1: 0x00000005 0x0000000c 0x00000201 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000b, 2: 0x00000000 0x00000000 0x00000002 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000c, 0: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 0: 0x00000007 0x00000240 0x00000340 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1: 0x00000001 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2: 0x00000100 0x00000240 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 4: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 5: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 6: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 7: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 8: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 9: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, a: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, b: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, c: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, d: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, e: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, f: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 10: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 11: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 12: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 13: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 14: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 15: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 16: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 17: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 18: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 19: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1a: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1b: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1c: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1d: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1e: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 1f: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 20: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 21: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 22: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 23: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 24: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 25: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 26: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 27: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 28: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 29: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2a: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2b: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2c: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2d: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2e: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 2f: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 30: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 31: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 32: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 33: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 34: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 35: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 36: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 37: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 38: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 39: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3a: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3b: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3c: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3d: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3e: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 0000000d, 3f: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000000, 0: 0x80000008 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000001, 0: 0x00000000 0x00000000 0x00000001 0x2c100800

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000002, 0: 0x20202020 0x6e492020 0x286c6574 0x58202952

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000003, 0: 0x286e6f65 0x43202952 0x45205550 0x36322d35

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000004, 0: 0x76203033 0x20402032 0x30362e32 0x007a4847

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000005, 0: 0x00000000 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000006, 0: 0x00000000 0x00000000 0x01006040 0x00000000

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000007, 0: 0x00000000 0x00000000 0x00000000 0x00000100

                  2018-03-15T13:41:22.698Z| vmx| I120: hostCPUID level 80000008, 0: 0x0000302e 0x00000000 0x00000000 0x00000000

                  2018-03-15T13:41:22.699Z| vmx| I120: CPUID differences from hostCPUID.

                  Regards Philipp

                  • 6. Re: ESXi 5.5 Cluster fully patched / Windows VMs still vulnerable (Get-SpeculationControlSettings & Inspectre)
                    bluefirestorm Master

                    From the log you pasted it looks that the CPU has the microcode updates for mitigation against Spectre as the EDX register output value is 0x0c000000 (which means bit 26-27 are values are 1) and there are no EVC masks that would mask them out.

                     

                    CPUID leaf (EAX in)
                    ECX in
                    EAX out
                    EBX out
                    ECX out
                    EDX out
                    0000000700x000000000x000002810x000000000x0c000000

                     

                    So it is a matter of the hypervisor (in your case ESXi 5.5) exposing the IBRS, IBPB, STIBP to the VM. Maybe it is U3h has the patches from U3g removed. It is unclear from the KB whether that was the case. You may have to ask VMware for a definitive answer.

                    • 7. Re: ESXi 5.5 Cluster fully patched / Windows VMs still vulnerable (Get-SpeculationControlSettings & Inspectre)
                      pkohn Novice

                      Hi bluefirestorm,

                       

                      thank you for you support it's greatly appreciated.

                       

                      Maybe it is U3h has the patches from U3g removed. It is unclear from the KB whether that was the case.

                       

                      Perhaps I am wrong but VMware statement in the article in my understanding is that spectre mitigations should be included.

                      But I had the same discussion with an german community colleague yesterday. (CVE-2017-5753 and CVE-2017-5715 = https://meltdownattack.com/#faq-cve-spectre)

                      VMSA-2018-0002.3

                      ESXi550-201801301-BG does NOT include the unstable microcode mentioned in KB52345 and mitigates both CVE-2017-5753 and CVE-2017-5715

                      @VMware:

                      I hate this Situation really, we need a clear and transparent communication. and we need a official PowerCLI or alternative to test the mitigation status.

                      Our customers trust us and we trust in you, so please do your Job and inform us in a proper way!

                       

                      Regards Philipp

                      • 8. Re: ESXi 5.5 Cluster fully patched / Windows VMs still vulnerable (Get-SpeculationControlSettings & Inspectre)
                        marvinp Lurker

                        Hi, i also have the Same Issue. Answer fromm Support is that the 5.5u3h Patch does not include the hypervisor assisted guestos mitigation.

                        It was included in the 5.5u3g patch which was pulled due to instable Microcode stuff. I asked about when the patch will be rereleased with hypervisor assisted guestos mitigation and the answer is : no ETA yet. Very dissatisfying.

                        • 9. Re: ESXi 5.5 Cluster fully patched / Windows VMs still vulnerable (Get-SpeculationControlSettings & Inspectre)
                          pkohn Novice

                          Hi marvinp,

                           

                          thank you for your respone, ok sounds plausible, but then I don't understand the "3h" Patchnotes or even why this patch was released...

                          If the spectre mitigation are not included then the notes are misleading or in other words totally wrong .

                           

                          VMware Knowledge Base

                          This ESXi patch provides hypervisor-specific mitigations for CVE-2017-5753 and CVE-2017-5715. For more details, see VMware Security Advisory VMSA-2018-0002

                          .

                          Regards Philipp

                          • 10. Re: ESXi 5.5 Cluster fully patched / Windows VMs still vulnerable (Get-SpeculationControlSettings & Inspectre)
                            a.p. Guru
                            vExpertCommunity WarriorsUser Moderators

                            I agree, the documentation is kind of confusing.

                            Anyway, new patches have been released today, see VMSA-2018-0004.3

                             

                            André

                            • 11. Re: ESXi 5.5 Cluster fully patched / Windows VMs still vulnerable (Get-SpeculationControlSettings & Inspectre)
                              pkohn Novice

                              Hi a.p.,

                               

                              thx for your answer, I will try out this patch asap.

                               

                              Regards Philipp

                              • 12. Re: ESXi 5.5 Cluster fully patched / Windows VMs still vulnerable (Get-SpeculationControlSettings & Inspectre)
                                pkohn Novice

                                Hi André,

                                 

                                installed the Patches, Spectre Mitigations checks are all green inside the VMs.

                                 

                                Thx for your Support.

                                 

                                Regards Philipp