Yesterday, Intel and a group of microarchitecture security researchers disclosed four new hackable vulnerabilities in Intel’s chips. These vulnerabilities expose extremely sensitive data and processes from a victim’s CPU to the attacker. Intel has grouped these vulnerabilities together and labeled them as Microarchitectural Data Sampling or MDS attacks.
MDS is a sub-class of previously disclosed speculative execution side channel vulnerabilities and is comprised of four closely related CVEs. These vulnerabilities were first identified by Intel’s internal researchers and partners and independently reported to Intel by external researchers. These include:
- Microarchitectural Load Port Data Sampling (MLPDS) – CVE-2018-12127
- Fallout: Microarchitectural Store Buffer Data Sampling (MSBDS) – CVE-2018-12126
- ZombieLoad or RIDL: Microarchitectural Fill Buffer Data Sampling (MFBDS) – CVE-2018-12130
- Microarchitectural Data Sampling Uncacheable Sampling (MDSUM) – CVE-2019-11091
Intel said that the ARM and AMD are not likely vulnerable to these MDS attacks. Also, some models released last month include a fix for this problem. However, all of Intel’s chips that the researchers tested, going back as early as 2008, were affected.
According to a report by ZDNet, “The good news is that Intel had more than a year to get this patched, and the company worked with various OS and software vendors to coordinate patches at both the hardware and software level. Both the hardware (Intel CPU microcode updates) and software (OS security updates) protections must be installed at the same time to fully mitigate MDS attacks. If patches aren’t available yet, disabling the Simultaneous Multi-Threading (SMT) feature on Intel CPUs will significantly reduce the impact of all MDS attacks.”
In these new cases, researchers found that they could use speculative execution to trick Intel’s processors into grabbing sensitive data that’s moving from one component of a chip to another. Unlike Meltdown, which used speculative execution to grab sensitive data sitting in memory, MDS attacks focus on the buffers that sit between a chip’s components, such as between a processor and its cache, the small portion of memory allocated to the processor to keep frequently accessed data close at hand.
Cristiano Giuffrida, one of the researchers in the VUSec group at Vrije Universiteit Amsterdam who discovered the MDS attack said, “It’s kind of like we treat the CPU as a network of components, and we basically eavesdrop on the traffic between them. We hear anything that these components exchange.”
Zombieload side-channel attack
Zombieload, a side-channel attack, is the leading attack among the new vulnerabilities and also falls in the same category as Meltdown, Spectre, and Foreshadow. It is exploited by taking advantage of the speculative execution process, which is an optimization technique that Intel added to its CPUs to improve data processing speeds and performance.
Read Also: Seven new Spectre and Meltdown attacks found
ZombieLoad gets its name from a “zombie load,” an amount of data that the processor can’t understand or properly process, forcing the processor to ask for help from the processor’s microcode to prevent a crash. Apps are usually only able to see their own data, but this bug allows that data to bleed across those boundary walls. ZombieLoad will leak any data currently loaded by the processor’s core, the researchers said. Intel said patches to the microcode will help clear the processor’s buffers, preventing data from being read.
“Like Meltdown and Spectre, it’s not just PCs and laptops affected by ZombieLoad — the cloud is also vulnerable. ZombieLoad can be triggered in virtual machines, which are meant to be isolated from other virtual systems and their host device”, the TechCrunch reports.
Daniel Gruss, one of the researchers who discovered the latest round of chip flaws, said it works “just like” it does on PCs and can read data off the processor. That’s potentially a major problem in cloud environments where different customers’ virtual machines run on the same server hardware. Although no attacks have been publicly reported, the researchers couldn’t rule them out nor would any attack necessarily leave a trace, they said.
Gruss said it was “easier than Spectre” but “more difficult than Meltdown” to exploit — and both required a specific set of skills and effort to use in an attack. But if exploit code was compiled in an app or delivered as malware, “we can run an attack,” he said.
Intel has released microcode to patch vulnerable processors. Apple, Microsoft, and Google have also released patches, with other companies expected to follow.
“In a call with TechCrunch, Intel said the microcode updates, like previous patches, would have an impact on processor performance. An Intel spokesperson told TechCrunch that most patched consumer devices could take a 3 percent performance hit at worst, and as much as 9 percent in a datacenter environment. But, the spokesperson said, it was unlikely to be noticeable in most scenarios. And neither Intel nor Gruss and his team have released exploit code, so there’s no direct and immediate threat to the average user”, TechCrunch reports.
Is Zombieload a security threat for Linux system?
As a defense against Zombieload, a ZDNet report suggests, “To defend yourself, your processor must be updated, your operating system must be patched, and for the most protection, Hyper-Threading disabled.”
Red Hat rated CVE-2018-12130(Zombieload) as a severity impact of “important,” while the others have moderate severity.
Greg Kroah-Hartman, the stable Linux kernel maintainer, in an announcement email wrote, “I’m announcing the release of the 5.1.2 kernel. All users of the 5.1 kernel series must upgrade. Well, kind of, let me rephrase that…All users of Intel processors made since 2011 must upgrade.”
“Red Hat noted all its Linux distributions from Red Hat Enterprise Linux (RHEL) 5 on up to the new RHEL 8 are affected. Platforms based on these Linux distros, such as Red Hat Virtualization and Red Hat OpenStack, are also vulnerable”, ZDNet reports.
Chris Robinson, Red Hat’s product security assurance manager, explained:
“These vulnerabilities represent an access restriction bypass flaw that impacts many Intel CPU’s and many of the operating systems that enable that hardware. Working with other industry leaders, Red Hat has developed kernel security updates for products in our portfolio to address these vulnerabilities. We are working with our customers and partners to make these updates available, along with the information our customers need to quickly protect their physical systems, virtual images, and container-based deployments.”
According to a Wired post, “VUSec’s Giuffrida notes that his team was paid $100,000 by Intel for their work as part of the company’s “bug bounty” program that rewards researchers who warn the company about critical flaws. That’s hardly the kind of money paid out for trivial issues, he points out. But he also says that Intel at one point offered VUSec only a $40,000 bug bounty, accompanied by a $80,000 “gift”—which Giuffrida saw as an attempt to reduce the bounty amount cited publicly and thus the perceived severity of the MDS flaws. VUSec refused the offer of more total money in favor of a bounty that better reflected the severity of its findings, and it threatened to opt out of a bug bounty in protest. Intel changed its offer to the full $100,000.”
To know more about this news, read Intel’s official blog post.