Guidance for mitigating L1 Terminal Fault in Azure Stack

Microsoft is aware of a new speculative execution side channel vulnerability that is known as L1 Terminal Fault (L1TF), which has been assigned multiple Common Vulnerabilities and Exposures (CVEs), as noted in the following table. This vulnerability affects Intel® Core® processors and Intel® Xeon® processors. For more information, see the Intel advisory at www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html.

Microsoft has not received any information to indicate that these vulnerabilities have been used to attack customers. Microsoft continues working closely with industry partners, including chip makers, hardware OEMs, and app vendors, to protect customers. To get all available protections, firmware (microcode) and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software.

This advisory addresses the following vulnerabilities:

To learn more about this class of vulnerabilities, see ADV180018.

The following sections will help you identify, mitigate, and remedy Azure Stack environments that are affected by the vulnerabilities that are identified in Microsoft Security Advisory ADV180018.

To address these issues, Microsoft is working in partnership with the hardware industry to develop mitigations and guidance.

Azure Stack customers should take the following actions to help protect the Azure Stack infrastructure against the vulnerabilities:

1. Apply the Azure Stack 1808 update. See the Azure Stack 1808 update release notes for instructions to apply this update to your Azure Stack integrated system.
2. Install firmware updates from your Azure Stack OEM vendor. Refer to your OEM vendor website to download and apply the updates.

Q1. How can I tell whether my Azure Stack is affected by this class of vulnerabilities?

A1: All Azure Stack integrated systems are affected by the class of vulnerabilities that are described in Microsoft Security Advisory ADV180018.

Q2. Where can I find the Azure Stack update to fix this class of vulnerabilities?

A2: See the Azure Stack 1808 update release notes for instructions about how to download and apply this update to your Azure Stack integrated system. For more information about updates for Microsoft Azure Stack, see http://aka.ms/azurestackupdate.

Q3. Where can I find the firmware updates for my Azure Stack integrated system?

A3: Firmware updates are OEM-specific. Refer to your OEM vendor's website to download and apply the updates.

Q4. My Azure Stack integrated system is not running the latest update (version 1807). What should I do?

A4: Azure Stack updates are sequential. You have to apply all previous updates before you can apply the Azure Stack 1808 update.

Q5. I'm running an Azure Stack Development Kit (ASDK). Is that affected by this class of vulnerabilities?

A5: Yes, it is. We recommend that you deploy the latest version of the ASDK. For firmware updates, see your OEM vendor's website to download and apply the updates.

Q6. Do I need to update the operating system of my virtual machines to isolate my applications from other Azure Stack tenants?

A6: While an operating system update is not required to isolate your applications that are running on the Azure Stack from other Azure Stack tenants, it is a best practice to keep your software up-to-date. The latest security rollups for Windows contain mitigations for several speculative execution side channel vulnerabilities. Similarly, Linux distributions have included multiple updates to address these vulnerabilities.

Q7. Is there any performance impact related to this side-channel vulnerability mitigation?

A7: As described in Microsoft Security Advisory ADV180018, Microsoft observed some performance impact with these mitigations during testing, depending on the configuration of the system and what mitigations were needed. The Azure Stack 1808 release contains all the software configuration updates that we recommended to mitigate any potential performance impact. If you experience a performance impact, restart your virtual machines that are running on top of Azure Stack. To be effective, the restart must be performed from either the Azure Stack portal or via the Azure CLI in Azure Stack.