RIDL/ZombieLoad/Fallout check inside VM meaningfulness

lukast__

I wanted to check whether my VMs (using KVM) are vulnerable to speculative execution vulnerabilities or similar. I found spectre-meltdown-checker, which reports that my Strato VM isn't vulnerable to any of these, but on another VM it says that it is vulnerable to Fallout, RIDL and ZombieLoad. Does this check even make sense from inside of a VM? And if it is vulnerable, would a mitigation in the guest kernel have any impact or would I have to contact the provider? Can you recommend another checker for these types of vulnerabilities?

Levi

Don’t check - sleep better.

lowenduser1

It checks whatever CPU model and features are passed through to the VM. Software mitigations are by default enabled on all major distributions but suffer from a significant performance hit, if the hardware is not up to date or patched. If neighbors or the host disabled the mitigations, your VM will still be vulnerable, even if it's enabled in your VM. For security sensitive data and in need of performance you probably want to avoid the older hardware or go with a dedicated

lukast__

@lowenduser1 said: It checks whatever CPU model and features are passed through to the VM. Software mitigations are by default enabled on all major distributions but suffer from a significant performance hit, if the hardware is not up to date or patched. If neighbors or the host disabled the mitigations, your VM will still be vulnerable, even if it's enabled in your VM. For security sensitive data and in need of performance you probably want to avoid the older hardware or go with a dedicated

Thanks for the answer. A dedicated is unfortunately out of my budget, but I want to minimize the risk at least.
I have a VM with an 8 year old Intel CPU (E5-2650L v4). The tool says for Fallout, ZombieLoad and RIDL Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown.
Can I fix it/is it not necessary/possible (as maybe not every neighbor has it enabled?) or should I contact the provider?

lowenduser1

@lukast__ said:

@lowenduser1 said: It checks whatever CPU model and features are passed through to the VM. Software mitigations are by default enabled on all major distributions but suffer from a significant performance hit, if the hardware is not up to date or patched. If neighbors or the host disabled the mitigations, your VM will still be vulnerable, even if it's enabled in your VM. For security sensitive data and in need of performance you probably want to avoid the older hardware or go with a dedicated

Thanks for the answer. A dedicated is unfortunately out of my budget, but I want to minimize the risk at least.
I have a VM with an 8 year old Intel CPU (E5-2650L v4). The tool says for Fallout, ZombieLoad and RIDL Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown.
Can I fix it/is it not necessary/possible (as maybe not every neighbor has it enabled?) or should I contact the provider?

you can always raise your concerns with your provider, perhaps they can sort it out. that being said it's a bit on the edge of paranoia in terms of probability. these are complicated vulnerabilities. going with 'my VM is on shit hardware, please migrate' probably gets you guaranteed benefit

vsys_host

Security checks are always a must-have, but if you are running single-user webhost VPS with non-sensitive data, mitigation of the mentioned vulnerabilities is not strictly necessary