Security Alert (A18-01-09): Multiple Vulnerabilities in Hypervisors


 

Published on: 12 January 2018

  
  

Description:

The recent disclosed security issues, known as Meltdown and Spectre, affects most hypervisors in a virtualised environment. It allows of information disclosure between virtual machines on the same hosts or between processes within a same virtual machine. Exploiting the security issue requires an attacker to load and run malicious programs on affected systems.

 

Affected Systems:

  • VMware vCenter Server (VC), vSphere ESXi (ESXi), VMware Workstation Pro / Player (Workstation) and VMware Fusion Pro / Fusion (Fusion)
  • Microsoft Hyper-V
  • All versions of Xen
  • Red Hat Enterprise Virtualization 3.6 ELS and 4.1

 

Impact:

A successful attack could lead to arbitrary code execution, elevation of privilege, or information disclosure.

 

Recommendation:

Some product vendors have provided information on the patches of the vulnerabilities for their products as listed below. The list is not exhaustive and it is recommended to consult the product vendors to confirm the availability of patches.

  • Microsoft Hyper-V
    https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms
    https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

  • VMWare
    https://www.vmware.com/security/advisories/VMSA-2018-0002.html
    https://www.vmware.com/security/advisories/VMSA-2018-0004.html

  • Xen
    http://xenbits.xen.org/xsa/advisory-254.html

  • Red Hat
    https://access.redhat.com/solutions/3307851

System administrators should apply the patches once available or follow the recommendations provided by the product vendors to mitigate the risk.

 

More Information:

https://googleprojectzero.blogspot.hk/2018/01/reading-privileged-memory-with-side.html
https://meltdownattack.com/
https://spectreattack.com/
https://www.hkcert.org/my_url/zh/alert/18010401
https://www.us-cert.gov/ncas/alerts/TA18-004A
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

 



Tag: VMware , vCenter Server , vSphere ESXi , Microsoft , Hyper-V , Red Hat , Enterprise Virtualization , VMware Workstation , VMware Fusion , Xen Project , Xen , Meltdown , Spectre
Tags