VirtualBox guest VM reports: an up-to-date CPU microcode is needed to mitigate this vulnerability

[adrelanos]

spectre-meltdown-checker v0.42

spectre-meltdown-checker --paranoid on a Debian buster host: passed (exit code 0)

spectre-meltdown-checker --paranoid in a Debian buster VirtaulBox VM: failed

CVE-2018-3640 an up-to-date CPU microcode is needed to mitigate this vulnerability

This is likely a false-positive since VMs cannot alter CPU microcode?

Or is this this Virtualbox bug?

[adrelanos]

Installing intel-microcode (3.20191115.2) and spectre-meltdown-checker (0.43-2)

https://packages.debian.org/bullseye/intel-microcode https://packages.debian.org/bullseye/spectre-meltdown-checker

did not silence that warning either.

Even if it did, this test probably does not apply inside VMs?

[speed47]

CVE-2018-3640 is mitigated by having a patched microcode (it doesn't also need an updated kernel or hypervisor, as some other CVEs do). The microcodes version that are fixed for this CVE were also fixing CVE-2018-3639, as Intel tackled these 2 CVE at the same time. There is no indication (no CPUID bit or MSR) in a microcode to tell whether it mitigates CVE-2018-3640 or not, but for CVE-2018-3639, there is (as it also needs kernel support to have any effect). So the CVE-2018-3640 test we do, is checking whether the SSBD bit is set in the CPUID (which indicates that the necessary logic is in place in the microcode to help the kernel mitigate CVE-2018-3639). If the bit is set, then we now CVE-2018-3640 is mitigated too. So in your case, if on the host the tests say OK, then you're safe. It can also be detected from inside the VM, but only if VirtualBox is passing through the CPUID bits of the host, and this probably depends on your VirtualBox configuration (or maybe they decided to hide it altogether)