Blog

Visit often for current news, announcements, and insights.

Virtuozzo Guidance on the L1 Terminal Fault (L1TF) Vulnerability (Updated September 6, 2018)

Ivan Loginovskikh

Virtuozzo Announcements

VirtuozzoIntelL1TFSMTL1 Terminal Fault

The L1 Terminal Fault (L1TF) is a hardware vulnerability which allows speculative execution attacks on Intel processors. A malicious application or guest virtual machine can use this flaw to gain access to data stored in the L1 cache by bypassing the security restrictions.

List of CVEs

CVE-2018-3615

L1TF/Foreshadow

Intel Software Guard Extensions aspects

CVE-2018-3620

L1TF/Foreshadow-NG

Operating Systems and System Management Mode aspects

CVE-2018-3646

L1TF/Foreshadow-NG

Virtualization aspects

 

Virtuozzo Updates

Platform

Status

Advisory link

Virtuozzo 7

Released

help.virtuozzo.com/s/article/000017549

Virtuozzo 6

Released

help.virtuozzo.com/s/article/000017529

Virtuozzo 4.7

Released

help.virtuozzo.com/s/article/000017528

Server Bare Metal 5.0

Released

help.virtuozzo.com/s/article/000017528

Containers for Windows 6.0

Released

help.virtuozzo.com/s/article/000017545

Containers for Windows 4.6

Released

help.virtuozzo.com/s/article/000017546


Mitigation

CVE-2018-3615: Virtuozzo products are not affected by this vulnerability since they do not use Intel SGX.

CVE-2018-3620: To be resolved by the kernel update on the host server.

CVE-2018-3646: To be resolved by the kernel update on the host server and in virtual machines. Additionally, consider disabling SMT after reading the information below.


Mitigation Scenarios

  • Virtuozzo server is running containers only, no virtual machines
    • Install the kernel update on the host server
  • Virtuozzo server is running trusted virtual machines
    • Install the kernel update on the host server and update the guest systems
  • Virtuozzo server is running untrusted virtual machines
    • Along with the host and guests’ updates, it might be necessary to disable simultaneous multithreading (Hyper-threading) completely. This mitigation is not enabled by default due to significant performance impact.


Simultaneous Multithreading (SMT) Discussion

SMT (Hyper-threading in terms of Intel) technology improves system performance by utilizing two logical processors on each physical core. The L1TF attack allows a malicious virtual machine guest, running on one thread, to access data brought to the L1 CPU cache by another thread.

The full mitigation of the vulnerability is not possible without disabling Hyper-threading. However, disabling the HT technology severely impacts the system performance. Also note that this vulnerability is extremely hard to exploit by popular attack vectors like JavaScript in browsers. The only viable way to attack the host or other virtual machines is to have root access to a virtual machine on the host, install the vulnerable OS, and run malicious program.

In case one still wants to disable SMT, there are two ways to do it:

  1. disable SMT (Hyper-threading, HT) in system BIOS, or
  2. Pass the ‘nosmt’ flag as a kernel boot parameter in the GRUB configuration file.

Performance Implications

To help our customers to choose the mitigation strategy, we are providing the benchmark results based on testing we recently conducted. Benchmarking revealed that L1TF fix has no performance impact on containers virtualization. Bechmarking of virtual machines has revealed 10-15% performance drop due to combined host and guest protection and additional 15% performance degradation with SMT disabled.

Virtuozzo ran the standard vConsolidate1 test to assess performance impact.

Containers:

Red line #1: Virtuozzo 7 Update 8 prior to L1TF fix, CentOS 7.5 2SMP 2Gb CT
Grey line #2: Virtuozzo 7 Update 8 Hotfix 1 with L1TF fix, CentOS 7.5 2SMP 2Gb CT

Virtual machines:

Red line #1: Virtuozzo 7 Update 8 prior to L1TF fix, Windows 2012R2 2SMP 2Gb VM
Green line #2: Virtuozzo 7 Update 8 Hotfix 1 with L1TF fix, Windows 2012R2 2SMP 2Gb VM, guest without L1TF fix
Yellow line #3: Virtuozzo 7 Update 8 Hotfix 1 with L1TF fix, Windows 2012R2 2SMP 2Gb VM, guest with L1TF fix
Blue line #4: Virtuozzo 7 Update 8 Hotfix 1 with L1TF fix and with SMT disabled, Windows 2012R2 2SMP 2Gb VM, guest with L1TF fix

1: vConsolidate test is a performance benchmark; it deploys one or more groups of virtual appliances, which run certain applications working together as a single group (called Consolidation Stack Unit (CSU)). Each server in the group generates output results, such as transactions per second, and the aggregated result is used to compare different virtualization solutions. By increasing the number of CSUs, it is possible to compare how different virtualization solutions behave, which produce more transactions on the same hardware with the same number of CSUs, and which are able to run more tiles effectively (before overall system performance begins to decrease).

Update History

15.08.2018: Initial publication.

20.08.2018: Added the advisory links for Virtuozzo 6, Virtuozzo 4.7, and Server Bare Metal 5.0.

30.08.2018: Added the advisory link for Virtuozzo 7.

31.08.2018: Added the benchmark results.

06.09.2018: Added the advisory links for Vitruozzo containers for Windows.

Back