OVH – L1 Terminal Fault (L1TF) / Foreshadow disclosure
We were recently informed by our partners at Intel of the discovery of a new vector of the "speculative execution side-channel" type, named L1TF / Foreshadow and based on the same concept as the Spectre and Meltdown flaws discovered in January and May 2018.
What is L1TF ?
Called "L1 Terminal Fault" (L1TF) – or "Foreshadow" – this vulnerability concerns CPUs with SMT technology (also known as “hyper-threading” for Intel processors). It may allow a malicious code execution on one thread to access data from the L1 cache of another thread within the same core.
Foreshadow vulnerability is extremely complex to exploit, and only a proof-of-concept developed in laboratory conditions has validated its existence. Although there was no evidence to suggest that this vulnerability has actually been exploited yet, three CVE identifiers (with “high” level qualification) were created:
- L1 Terminal Fault – SGX (CVE-2018-3615) 7.9 High CVSS: 3.0/AV : L/AC : L/PR : N/UI : N/S : C/C : H/I : L/A : N
- L1 Terminal Fault – OS, SMM (CVE-2018-3620) 7.1 High CVSS : 3.0/AV : L/AC : L/PR : N/UI : N/S : C/C : H/I : N/A : N
- L1 Terminal Fault – VMM (CVE-2018-3646) 7.1 High CVSS : 3.0/AV : L/AC : L/PR : N/UI : N/S : C/C : H/I : N/A : N
How can we be protected from this flaw?
These three variant of L1 Terminal Fault (L1TF) / Foreshadow can be mitigated in two ways:
- The use of the microcodes provided since january, through the UEFI boot provided by OVH and/or via the operating system,
- Updating operating systems and kernel (the main OS and hypervisor editors will start distributing patches).
OVH will apply these patches on its host machines once they are made available by their respective editors and when we have – as per our usual practices – validated them through our non-regression tests.
Customers with a managed offer (web hosting, e-mails, etc.) therefore have no action to take.
In addition of that, for customers with root access to their infrastructures (dedicated servers, VPS, Public Cloud, Private Cloud etc.), a simple update of the operating system and kernel (https://docs.ovh.com/sg/en/dedicated/updating-kernel-dedicated-server/ ) will secure their installations.
Details regarding the CVE-2018-3646 variant
In the specific case of variant 3646 of Foreshadow, there may be a delay before editors are able to propose a patch. In the meantime, one way to protect yourself from this variant is to disable hyper-threading. Some patches distributed after the release of this vulnerability should allow you to perform this operation via software, through a kernel option.
However, the impact of this operation in terms of performance can be significant. Regarding the complexity of the exploitation of this vulnerability, we advise you to wait for the OS editor’s recommendations for the specific hypervisor used before deactivating hyper-threading.
As usual, we strongly encourage our customers to keep their systems up to date, in order to maintain the maximum effectiveness for all protection measures put in place.
As a global provider of cloud services, we work closely with our partners, manufacturers and editors every day to improve the security of our infrastructures, updating systems and applying the necessary patches whenever new vulnerabilities are discovered, in addition to other internal protection measures.
L1 Terminal Fault (L1TF) / Foreshadow vulnerabilities are no exception to the rule, but in light of the recent media coverage of their discovery, and in the spirit of OVH’s longstanding emphasis on transparency, we want to respond directly to the legitimate concerns of our customers.
More information :
Links to software vendors and OS/Distros:
- Ubuntu: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF
- VMware: https://kb.vmware.com/s/article/55636
- Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180018
- Redhat: https://access.redhat.com/security/vulnerabilities/L1TF
- Suse: https://www.suse.com/support/kb/doc/?id=7023077