The L1TF (L1 Terminal Fault) vulnerability has been identified as another Intel based speculative execution side channel vulnerability, similar to the Spectre and Meltdown vulnerabilities which made headlines earlier this year. It is currently only identified as a theoretical vulnerability with no proof of its malicious use in the wild.
The risk of the vulnerability is that when specially crafted malicious code is executed on a unprotected VM in an unprotected shared virtualisation environment, CPU cache memory from other VMs running on the same CPU can be obtained. The contents of this cache memory could be such things such as reading passwords or private keys from other unprotected VMs.
The impact of this by a bad actor is potentially leaking of sensitive information across virtual machine boundaries, which usually should not be possible. Obviously this is more of a concern across shared and public cloud offerings, than private clouds.
To completely cover your VMware environment from L1TF it means the following steps need to be taken;
As outlined in the previous question, to completely cover your VMware environment from L1TF it means enabling the L1TF threat prevention setting on each ESXi host. This setting will have a CPU impact to the host as it includes disabling the hyper threading feature of Intel CPU’s. Hyper threading technology is responsible for giving, in some cases, up to double the performance of Intel CPU performance within servers. Recent benchmarks across environments indicate that this number is closer to 10-20%, but it really depends on the types of applications running within your environment. By disabling hyper threading, the CPU capacity will be decreased and this may or may not have an impact on your ability to comfortably run your current virtual machine workloads on existing hardware, especially in a failed server or maintenance situation.
There has been a PowerCLI utility provided by VMware that can be run against a VMware environment to give an indication as to the risk of making this change to environment. The recommendations are based on the current workloads and looking back at rolled up performance data going back a number of months provided by vCenter.
Stay tuned for more in depth information on the L1TF threat and how it relates to VMware environments.
Since 2002, Perfekt has been delivering IT infrastructure solutions, services and consulting to address the business challenges IT organisations face within their respective companies from the continually changing IT landscape.