TPS-2018-007 Intel L1 Terminal Fault Vulnerabilities (CVE-2018-3615, CVE-2018-3620 & CVE-2018-3646)

Overview

This advisory covers a series of three different vulnerabilities surrounding Intel hardware, collectively called L1 Terminal Fault (L1TF):

  • CVE-2018-3615 - Specific to Intel Software Guard Extensions (SGX)
  • CVE-2018-3620 - Specific to Operating Systems and System Management Mode (SMM)
  • CVE-2018-3646 - Specific to Virtual Machine Monitors (VMM) / Hypervisors

Of these three CVEs, only the latter two apply to Triton public cloud and Triton Enterprise software customers. Joyent customers are not affected by the first CVE.

Comparison to Meltdown and Spectre

Similar to Meltdown and Spectre, these vulnerabilities exploit issues in the CPU that allow a locally-executing application to create a speculative side channel. With this side channel, an application can bypass standard microarchitecture protection, and that lets it read data that resides in the CPU’s Level 1 data cache.

Unlike the Meltdown attack, the L1TF attack only allows speculative access based on the physical address to data that is already sitting in the processor’s Level 1 data cache. Because the L1 data cache is shared between the hyper threads on a core, data that is loaded into the processor’s L1 cache by a hyperthread may potentially be visible to another hyperthread. The L1 cache contents may also potentially be visible to the next process that executes on that core.

Impacted Processors

This vulnerability impacts most Intel processors:

  • The Core (r) and Xeon (r) lines are particularly impacted.
  • Many Intel Atom processors are not impacted.
  • For a full list of impacted processors, please see Intel’s L1TF security advisory.

Further Details

For more detailed technical background, please see the Intel L1TF whitepaper.

Actions Taken by Joyent

The fix includes a combination operating system updates and CPU microcode updates. These have been made available for upstream inclusion and is in the process of being deployed to Joyent’s Triton Cloud (public cloud). Deployment necessitates a compute node reboot; we are making best effort to schedule those reboots with customers to minimize disruption.

We will also make available SmartOS updates for our software customers. For information, see the “Actions You Need to Take” section below.

Further updates will continue to be posted in this advisory.

Actions You Need to Take

Joyent’s Triton Enterprise Software Users

Customers that are leveraging hardware virtual machines in their Triton environments are potentially susceptible to these attacks. In cases where multi-tenancy and untrusted workloads are employed, updates are critical.

Joyent recommends that all customers with on-premises Triton Enterprise software deployments update their platforms to the latest version that contains both operating system and microcode updates to mitigate this problem. To perform this action, please use the following command on the support channel:

sdcadm platform install --latest

For additional assistance, please contact Joyent Support.

These operating system images contain required microcode updates, mitigating the need for the BIOS updates to be immediately applied.

These updates do have a performance impact that will vary based on the workload. Disabling hyper-threading in the system BIOS can be used to mitigate some of the performance impact; however, whether that makes sense for a given environment will vary.

In addition, customers running hardware virtual machines are encouraged to ensure that all of their virtual machines are up to date with the latest security patches provided by their vendors. If running other virtualization software or bare-metal operating systems, Joyent encourages you to contact your vendors to determine whether additional L1TF mitigations are required.

Joyent’s Triton Public Cloud Users

Joyent is in the process of ensuring that Triton public cloud customer instances are protected from these vulnerabilities. However, customers running hardware virtual machines should refer to instructions from their OS provider for additional steps to take:

  • Centos
  • Debian
  • FreeBSD
  • RedHat
  • Ubuntu
  • Windows

Customers that are using Joyent’s container-based solutions – in the form of Docker containers, Linux containers, or SmartOS containers (zones) – do not need to take any additional action at this time.

Open Source SmartOS and Triton Users

Open Source SmartOS and Triton users should follow the same advice as Triton software customers. A platform image containing this fix will be made available. This will be fixed in the 16-August-2018 release. All subsequent releases will also contain these fixes.

Please direct any further questions to The SmartOS Community Mailing Lists and IRC.

Support

If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.

As noted above, if you are an Open Source Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.