Title

The ESXi host must not suppress warnings about unmitigated hyperthreading vulnerabilities. (Cat II impact)

Discussion

The L1 Terminal Fault (L1TF) CPU vulnerabilities published in 2018 have patches and mitigations available in vSphere. However, there are performance impacts to these mitigations that require careful thought and planning from the system administrator before implementation. Until a mitigation is implemented, the UI warning about the lack of a mitigation must not be dismissed so the SA does not assume the vulnerability has been addressed.

Check Content

From the vSphere Client go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "UserVars.SuppressHyperthreadWarning" value and verify it is set to "0". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressHyperthreadWarning If "UserVars.SuppressHyperthreadWarning" is not set to "0" or the setting does not exist, this is a finding.

Fix Text

From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "UserVars.SuppressHyperthreadWarning" value and set it to "0". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressHyperthreadWarning | Set-AdvancedSetting -Value "0"

Additional Identifiers

Rule ID: SV-256433r959010_rule

Vulnerability ID: V-256433

Group Title: SRG-OS-000480-VMM-002000

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.