The ESXi host must not suppress warnings about unmitigated hyperthreading vulnerabilities.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258778	ESXI-80-000223	SV-258778r933395_rule		Medium

Description
The L1 Terminal Fault (L1TF) CPU vulnerabilities published in 2018 have patches and mitigations available in vSphere. However, there are performance impacts to these mitigations that require careful thought and planning from the system administrator before implementation. Until a mitigation is implemented, the UI warning about the lack of a mitigation must not be dismissed so the system administrator does not assume the vulnerability has been addressed.

Description

The L1 Terminal Fault (L1TF) CPU vulnerabilities published in 2018 have patches and mitigations available in vSphere. However, there are performance impacts to these mitigations that require careful thought and planning from the system administrator before implementation. Until a mitigation is implemented, the UI warning about the lack of a mitigation must not be dismissed so the system administrator does not assume the vulnerability has been addressed.

STIG	Date
VMware vSphere 8.0 ESXi Security Technical Implementation Guide	2023-10-11

Details

Check Text ( C-62518r933393_chk )
From the vSphere Client go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "UserVars.SuppressHyperthreadWarning" value and verify it is set to "0". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost \| Get-AdvancedSetting -Name UserVars.SuppressHyperthreadWarning If the "UserVars.SuppressHyperthreadWarning" setting is not set to "0", this is a finding.

Check Text ( C-62518r933393_chk )

From the vSphere Client go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Advanced System Settings.

Select the "UserVars.SuppressHyperthreadWarning" value and verify it is set to "0".

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressHyperthreadWarning

If the "UserVars.SuppressHyperthreadWarning" setting is not set to "0", this is a finding.

Fix Text (F-62427r933394_fix)
From the vSphere Client go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "UserVars.SuppressHyperthreadWarning" value and configure it to "0". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost \| Get-AdvancedSetting -Name UserVars.SuppressHyperthreadWarning \| Set-AdvancedSetting -Value 0

Fix Text (F-62427r933394_fix)

From the vSphere Client go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Advanced System Settings.

Click "Edit". Select the "UserVars.SuppressHyperthreadWarning" value and configure it to "0".

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressHyperthreadWarning | Set-AdvancedSetting -Value 0