ESXI-06-000055 - The system must disable Inter-VM transparent page sharing.

Information

Published academic papers have demonstrated that by forcing a flush and reload of cache memory, it is possible to measure memory timings to try and determine an AES encryption key in use on another virtual machine running on the same physical processor of the host server if Transparent Page Sharing is enabled between the two virtual machines. This technique works only in a highly controlled system configured in a non-standard way that VMware believes would not be recreated in a production environment.

Even though VMware believes information being disclosed in real world conditions is unrealistic, out of an abundance of caution upcoming ESXi Update releases will no longer enable TPS between Virtual Machines by default (TPS will still be utilized within individual VMs).

Solution

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Mem.ShareForceSalting value and configure it to 2.

or

From a PowerCLI command prompt while connected to the ESXi host run the following commands:

Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMware_vSphere_6-0_ESXi_V1R5_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Group-ID|V-63279, Rule-ID|SV-77769r1_rule, STIG-ID|ESXI-06-000055, Vuln-ID|V-63279

Plugin: VMware

Control ID: ab1dbcab3ca76afeab518d98055499de4b4efd6d6ab9866c54b482fdcf3094bc