Make Sure You're Covered for the L1 Termination Fault Vulnerability
Once a new type of vulnerability is announced, researchers will pursue all similar avenues until each is exhausted. In other words, we haven’t yet seen the last of new speculative execution exploit vulnerabilities like Spectre and Meltdown. Last week’s variant was Foreshadow, from which MacStadium customers were protected for a variety of reasons. However, VMware just announced potential new impacts related to the L1 Terminal Fault – VMM vulnerability. Thankfully, the typical way most customers leverage MacStadium makes exploitation extremely difficult. Yet, it’s still something MacStadium customers running VMware should be aware of so they can decide the appropriate response.
We typically deploy private clouds safely tucked behind firewalls. This means that would-be attackers probably can’t even reach your VMs. Even if customers are using VMs to compile/test code for third parties, malicious code would need to be compiled on the Mac, break out of an iOS simulator, and then attempt to exploit the vulnerability. Considering most of us are doing our best just to compile cleanly and pass integration tests, you can see the level of difficulty it would take for a malicious attacker to successfully exploit this vulnerability.
While we remain confident that your data is safe, we still highly recommend that customers using VMware clouds at MacStadium read the advisory to help decide the response that works best for your environment. A relevant patch and further suggestions are available to remediate any potential impact. As long as you are running VMware 6.5 or later you can manually start the Update Manager, which will give you the ability to apply the relevant patch yourself. Please note that ESXi updates are generally the responsibility of the customer, but MacStadium will gladly offer support and guidance if needed.
If you are not already subscribed, we also strongly recommended registering for the VMware Security Announcements list to stay abreast of relevant issues and fixes. You can register for the list at VMware Security Announcements.