ESXI-67-000055 - The ESXi host must disable Inter-VM transparent page sharing.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Published academic papers have demonstrated that by forcing a flush and reload of cache memory, it is possible to measure memory timings to try to determine an AES encryption key in use on another virtual machine running on the same physical processor of the host server if Transparent Page Sharing is enabled between the two virtual machines. This technique works only in a highly controlled system configured in a non-standard way that VMware believes would not be recreated in a production environment.

Although VMware believes information being disclosed in real-world conditions is unrealistic, out of an abundance of caution, upcoming ESXi update releases will no longer enable TPS between virtual machines by default (TPS will still be used within individual VMs).

Solution

From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings.

Click 'Edit', select the 'Mem.ShareForceSalting' value, and configure it to '2'.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y22M10_STIG.zip

Item Details

References: CAT|III, CCI|CCI-000366, Rule-ID|SV-239309r674856_rule, STIG-ID|ESXI-67-000055, Vuln-ID|V-239309

Plugin: VMware

Control ID: 74af05e02966a23142651de4316a6bbcf622e494eb9ba84878040c446e5d89b1