As part of the August 14th disclosure by Intel, three security vulnerabilities have been named:

  • CVE-2018-3646 (L1 Terminal Fault - VMM)
  • CVE-2018-3620 (L1 Terminal Fault - OS)
  • CVE-2018-3615 (L1 Terminal Fault – SGX, SMM)

At this time, there is no indication that these vulnerabilities have impacted us or have been used to attack our customers.

Intel has posted detailed information about these vulnerabilities here.

Briefly, each of these vulnerabilities affects a different aspect of the terminal fault vulnerability.

  1. CVE-2018-3646 (L1 Terminal Fault - VMM) - may allow unauthorized disclosure of information residing in the L1 data cache from a virtualized guest in Virtual Machine Monitor (VMM).

CenturyLink has taken the necessary steps to mitigate this vulnerability through vendor recommended patches and microcode updates. No further action is necessary.

  1. CVE-2018-3620 (L1 Terminal Fault - OS) - may allow unauthorized disclosure of information residing in the L1 data cache from the Operating System (OS) or System Management Mode (SMM)

CenturyLink recommends that customers apply necessary security updates in a timely manner.

For Linux users, a number of tests can be performed to validate your level of protection:

Ubuntu OS Details and Tests

RedHat Details and Tests, including Ansible playbooks to ease testing

Linux Kernel Details and tests

Microsoft also provides details on testing and remediation:

Microsoft Technical Details

  1. CVE-2018-3615 (L1 Terminal Fault – SGX, SMM) may allow unauthorized disclosure of information residing in the L1 data cache from an Intel® SGX Enclave.

CenturyLink does not support SGX/SMM at this time, therefore this vulnerability is not in scope for our customer base.

CenturyLink is actively conducting patching and other remediation activities across all of our infrastructure.

During our testing of patches from our infrastructure vendors that are intended to remediate these vulnerabilities, we have noticed some instances of reduced virtual CPU performance. These performance reductions were only observed in specific situations during our modeling of artificial utilization.

We expect the vast majority of virtual instances within our environment will not be impacted by reduced CPU performance as a result of this patching.

Any possible performance reduction is due to changes that have been made to virtualization features we use in order to ensure no customers are at risk of being compromised by any L1 Terminal Fault vulnerabilities.

Lastly, please note that while CenturyLink is patching our environment, we want to remind our customers that they are responsible for updating the operating system of their cloud virtual and bare metal servers. We are actively working to apply the latest patches to our Operating System templates to ensure any new virtual servers are not at risk of these vulnerabilities. We recommend you check with your operating system vendor(s) and system manufacturer(s) and apply any updates as soon as they are available.

For managed OS customers please reference Managed OS - Operating System Patching & Update Processes.

If you have any questions or concerns, please contact help@ctl.io