login vsi company logo login vsi company logo 250x40
  • Home
  • Blog
  • How-To: Update, Protect Against RIDL, Fallout MDS Vulnerability

How-To: Update, Protect Against RIDL, Fallout MDS Vulnerability

RIDL and Fallout MDS vulnerabilities, impact on VDI performance & actions to take.

This article provides you with the most common questions we’re receiving and updates on performance tests currently being executed to patch the flaws Intel refers to as: “Microarchitectural Data Sampling (M.D.S.)” a.k.a.: Rogue In-Flight Data Load (RIDL), Fallout, ZombieLoad and Store-to-Leak Forwarding.

 

It has been quiet for a while - on the surface at least - but security researchers have not stopped investigating Intel CPU’s for new flaws. Yesterday new security issues have been made public (shout out to the fellow Dutchman who discovered this flaw) that Intel refers to as: “Microarchitectural Data Sampling (M.D.S.)”. Immediately WhatsApp, Slack and email started to buzz notifying me something was up.

In this article - that will be updated as we go - I’ll be providing you with the most common questions we’re receiving and updates on performance tests currently being executed. Additionally, this article contains the steps executed to patch our lab, to use as a reference, if you’re in the process of updating yourself, as little documentation is available currently. As multiple research teams have discovered different flaws you might have seen the alternative names: Rogue In-Flight Data Load (RIDL), Fallout, ZombieLoad and Store-to-Leak Forwarding.

Don’t forget to leave your comments on the impact Microarchitectural Data Sampling (MDS) (a.k.a.: Rogue In-Flight Data Load (RIDL), Fallout, ZombieLoad and Store-to-Leak Forwarding) has had on your VDI environments and what you’re doing to protect against your vulnerabilities.

 

Please note that I’m not a security expert, my tips are focused on performance, not safety!

 

There are many articles outlining the theoretical and practical implications of testing. Here’s a few good examples:

If you are running a VDI environment today e.g. VMware Horizon, or Citrix Virtual Apps and Desktops, what are immediate steps to take, and how does it affect performance and scalability?

As most of Login VSI’s customers are running the combination VMware as hypervisor, with Citrix on top for desktop delivery, that’s our focus for now.

VMware has been kind enough to create the image below and I couldn’t have done a better job myself as it perfectly shows the need for capacity testing/planning before going live. These mitigations can have a huge impact on how many users you can run in your datacenter.

Login VSI Blog - RIDL Security Breach - Capacity Testing Planning Before Going Live

Source: https://kb.vmware.com/s/article/67577

 

As I’m lucky enough to have a lab-environment at hand (see details) I’ve set off to update VMware vCenter first. The update process is simple and only took a few minutes (for reference, this environment consists of approximately 10 hosts and about 3000 VM’s, of which 400 where powered on with users logged on, these users where not affected and could continue working. To update your own environment go to your vCenter appliance management portal https://vCenter.FQDN.com: 5480.

From there search for updates, pre-stage and Install.

Login VSI Blog - RIDL Security Breach - Update VMware vCenter

 

After the vCenter update completes, and an automatic reboot of the services, the next step is to patch my ESXi servers. Naturally I’m not going to do this by hand, so I’ll leverage the update mechanism available. In your vSphere client browse to the “Update manager”.

Login VSI Blog - RIDL Security Breach - Start Patching Process Hypervisor

 

By choosing new in the baselines tab, I can create a new patch baseline. By selecting the 14th of May as a date in the wizard, I can quickly select the updates needed. I’ve only selected the 6.7 updates as my lab is running the latest versions. If you are running older versions make sure to select the correct ones.

Login VSI Blog - RIDL Security Breach - Create New Patch Baseline

 

After creating the baseline we’ve got to attach it to a system, to do so find the host(s) you’d like to test on or mitigate and attach the baseline in the updates tab. This will cause the system to be validated against the baseline prompting it is “not compliant”.

Login VSI Blog - RIDL Security Breach - Validate System Against Baseline Not Compliant

 

After running the pre-checks, click remediate to start the patching process on the hypervisor.

Login VSI Blog - RIDL Security Breach - Start Patching Process Hypervisor

 

As seen in the VMware flowchart this doesn’t automatically enable the mitigations. Allowing us to test the impact of different settings. Please note that mitigations are only effective when all layers (Microcode, Hypervisor and operating system) have been patched. This is the same for all hypervisors.

When using VMware ESXi you might note there are multiple versions of mitigations as in ESXi 6.7u2 SCAv2 was released and offers performance improvements over SCAv1 while protecting from VM to VM and VM to Hypervisor information leakage. The side-channel aware scheduler has been enhanced with a new policy to allow hyper-threads to be used concurrently if both threads are running vCPU contexts from the same VM. In this way, L1TF side channels are constrained to not expose information across VM/VM or VM/hypervisor boundaries. Source: https://blogs.vmware.com/performance/author/todd_muirhead

Login VSI Blog - RIDL Security Breach - ESXI 6.7u2 Scheduler Configuration Summary

To download the specific hotfix by Microsoft you must search the windows update catalog (or download all updates available).

  • Windows 10 1803:

Microsoft Windows Support: May 14, 2019—KB4499167 (OS Build 17134.765)

Microsoft Update Catalog: 4499167

Login VSI Blog - RIDL Security Breach - Microsoft Update Center

So what’s next?

Simply run through the process of change impact testing. These will be the tests that I’ll be executing in the upcoming time, sharing my results and updating this article. Please note that if you are updating your own environment, mileage may vary as this is a lab environment. If you’re hosting your environment in the cloud I can highly recommend taking a look at that with Login PI to safeguard performance.

  Microcode Hypervisor Operating System
W10-1803-Reference NO NO NO
W10-1803-SCAv1 YES YES NO
W10-1803-SCAv1 YES YES YES
W10-1803-SCAv2 YES YES NO
W10-1803-SCAv2 YES YES YES

 

Don’t forget to leave your comments on the impact Microarchitectural Data Sampling (MDS) (a.k.a.: Rogue In-Flight Data Load (RIDL), Fallout, ZombieLoad and Store-to-Leak Forwarding) has had on your VDI environments and what you’re doing to protect against your vulnerabilities.

 


 

Start using Login VSI today

Our industry-standard software is built to help you avoid problems, lower costs and improve performance. Request a Quote or get your (free!) Trial below, and benefit from our award-winning services.

Request a Quote  Request a Trial

 


About the company Login VSI

The company Login VSI provides end-user performance insights for virtualized desktop and server based computing environments. Enterprise IT departments use flagship product Login VSI (for load testing) and new addition Login PI (for continuity testing) in all phases of their virtual desktop deployment—from planning to deployment to change management—to build and safeguard a good performance, a high availability, and (as a result) a good and consistent end-user experience. For more information about Login VSI or for a free test license contact us.

About the author

Mark Plettenberg (@markplettenberg) is a product manager of Login VSI and has played a critical role in the development and growth of Login VSI. Ask Mark about motorcycle mechanics and breaking/repairing anything and everything that has a power plug.


Tags: News, How-to, Microsoft, Citrix, VMware, Windows, Support, Product Updates, Patching, RIDL

Popular Blogs

login-vsi-vdi-performance-summit

The VDI Performance Summit - Virtual Conference and Expo

Visit the VDI Performance Summit to gain knowledge and experience about performance and tuning VDI, improving End-User Experience and IT service. Join us at the ONLY virtual event 100% dedicated to VDI performance and tuning | May 2, 2019 This 1-day event offers key-notes presented by the best VDI performance experts in the world, technical and business oriented breakout sessions, the possibility to chat with experts directly to discuss your own situation, and a virtual exhibit hall featuring… Continue Reading

Scalability testing Parallels Remote Application Server with Login VSI

Recently I went to VMworld in Barcelona where Login VSI had a booth on the expo... While I can’t remember exactly how many conversations I had - there had been so many that I lost my voice on day one. What was new this year is that quite a few people asked if our software is compatible with the solutions from Parallels specifically their Remote Application Server (RAS) (Datasheet). Continue Reading
Login VSI Blog Article - Microsoft Windows 10 Default FTA Associations - Teaser Image

Windows 10 Default File Type Associations and Login VSI

When Login VSI 4.1 was released, the majority of desktops were running Windows 7 and life was easy. We’d set the default filetype for an application and it would simply work. The default and industry standard workloads in Login VSI include launching and using Adobe Reader as part of the virtual user simulation. Because Login VSI doesn’t always know which version of Adobe Reader is installed, or where it’s installed, the workload relies on the file type association (FTA) for .pdf documents to be… Continue Reading
Login VSI - Press Release - IGEL - Login VSI Partner to Optimize End User Computing Experience Image

[Press Release] IGEL Partners with Login VSI to Optimize the End User Computing Experience

Login PI enables organizations to better protect the performance and availability of their IGEL OS-powered virtual desktop environments San Francisco, USA, Feb. 6, 2019: IGEL, a world leader in software-defined endpoint optimization and control solutions for the secure enterprise, today announced that it is partnering with Login VSI, provider of software solutions to test and actively monitor the performance and availability of virtual desktop environments, including VDI and… Continue Reading
Login VSI - Blog - Login PI Blog Teaser Image - Windows Virtual Desktop: How To Monitor User Experience With Login PI

Windows Virtual Desktop – How to Monitor User Experience?

Microsoft has just announced the public preview of their new Windows Virtual Desktop (WVD) offering at Microsoft Ignite on Tour in Amsterdam today. For those of you who’ve not followed the rumors or the private beta, here’s the outline... Continue Reading
Investigating Online Application Performance with Login PI

Investigating Online Application Performance with Login PI

As many companies do, we use a CRM system. Recently, I have been getting complaints about our cloud CRM system, Microsoft Dynamics, being slow. I tried to investigate this by shadowing one of our users to see what was wrong. As expected, everything was fast. 15 minutes later, the same user reported slowness again. How could I investigate this without bothering the users? Continue Reading
Cookie Settings

Didn't find what you need?

Get in touch with your questions and one of our specialists will reply ASAP.

Ask here