VMware ESXi - Baisse des performances VM Linux - Retbleed

VMware alerts its users of the VMware ESXi solution to the drop in performance observed on virtual machines with the Linux kernel 5.19. This drop can be as high as 70% when the Retbleed security flaw mitigations are enabled.

At VMware, the performance analysis team found a significant drop on ESXi virtual machines of up to 70% on the compute30% on the network and 13% on storage. These figures are the result of the performance comparison between a Linux VM with kernel 5.18 and a Linux VM with kernel 5.19. This very significant performance degradation is directly related to the “Retbleed” vulnerability and the implementation of mitigation measures to protect against this security breach.

VMware found that disabling the mitigations related to the Retbleed vulnerability restored the performance of the Linux VM. To be more precise, this implies to configure the option “spectrum_v2=off” in the kernel boot parameters. This parameter is managed on the Linux VM itself. However, removing this security exposes the machine to attacks, depending on the processor model (see below).

What is the Retbleed vulnerability?

Discovered in July 2022, the Retbleed security flaw affects processors and allows an attacker toextract sensitive information, such as the root password hash, for example. In fact, this vulnerability is related to the famous Specter flaw and it allows bypassing Retpoline, a solution to protect against type 2 ghost attacks. We can say that Retbleed is a Ghost-type Rift.

In terms of processors impacted by Retbleed, there are Intel Core models from generation 6 (Skylake – 2015) to generation 8 (Coffee Lake – 2017), as well as AMD Zen 1, Zen 1+ and Zen 2 processors released between 2017 and 2019. Suffice to say that it is not uncommon to come across servers with these generations of processors.

Here, the example of VMware is cited, but it is certain that there is an impact on performance on other platforms.


By admin

Leave a Reply

Your email address will not be published. Required fields are marked *