Confirming Hypervisor-Assisted Guest Mitigations at a VM level.

https://kb.vmware.com/s/article/68024 gives you detailed steps on how to validate if an ESXi host has both the CPU Microcode and patches applied. The step for confirming this is to examine the vmware.log file for a VM and look for the CPUID capability entry, for example based on latest KB.

Capability Found: cpuid.MDCLEAR

This however just confirms that the hypervisor has the new microcode that includes the CPUID mask (CPU Feature) to mitigate the Microarchitectural Data Sampling (MDS) Vulnerabilities. There is no easy way by just looking at the vmware.log to confirm whether or not the CPU features have been exposed to the VM hardware, what some folks do is search the vmware.log and look for the MDCLEAR entry under “Featurecompat: Requirements:”.

CPUID1

There is an easier way of confirming this and any future CPUID Masks. We can validate both the Hypervisor and VMs using PowerCLI, doesn’t have to be a script, just a line of code:

Validating Hypervisor

The below code, will list all the CPUID Masks enabled by the current CPU Microcode on a specific ESXi host. Note that MDCLEAR CPU Feature is present, so the ESXi host is patched and compliant

(Get-VMHost -Name "hostname").ExtensionData.Config.FeatureCapability | 
Where-Object value -eq 1 | Select-Object -ExpandProperty FeatureName 
CPUID2

If you wanted to validate a Cluster, to list all ESXi hosts that are MDS compliant (Have the MDCLEAR CPU Feature present):

Get-Cluster "clustername" | Get-VMHost | 
Where-Object {$_.ExtensionData.Config.FeatureCapability.value -eq 1 -and $_.ExtensionData.Config.FeatureCapability.FeatureName -match "MDCLEAR"} 
CPUID3

Validating VMs

The below line, will list all the CPUID Masks available to the VM hardware

(Get-VM -Name "VMname").ExtensionData.Runtime.FeatureRequirement | Select-Object -ExpandProperty FeatureName 
CPUID4

If you wanted to validate a cluster, to list all VMs that are MDS compliant (Have the MDCLEAR CPU Feature present):

Get-Cluster "clustername" | Get-VM | Where-Object {$_.ExtensionData.Runtime.FeatureRequirement.FeatureName -match "MDCLEAR"} 
CPUID5

The Vmware.log is an accurate source to show the CPUID capability (indicating that that both the CPU microcode and hypervisor are properly updated). However, you should know that just because the log indicates the CPUID capability that does not mean the VM is mitigated. I have found the log entries present just by migrating VMs during the remediation of a Cluster.

By using PowerShell we can confirm the CPUID features availability at the hypervisor level, and which VMs have the hardware support enabled.

Posted in PowerShell

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Edgar Sanchez
%d bloggers like this: