Microarchitectural Data Sampling: Speculative Execution Side-Channel Vulnerabilities Found in Intel CPUs
Researchers disclose speculative execution side-channel attacks named ZombieLoad, RIDL and Fallout in Intel Central Processing Units (CPUs).
Hintergrund
On May 14, public disclosures from multiple research groups regarding a new set of speculative execution side-channel vulnerabilities in Intel CPUs were published, along with software updates from various operating system, virtualization and cloud vendors. The vulnerabilities, independently discovered but collectively referred to as Microarchitectural Data Sampling (or MDS) attacks, are also individually named ZombieLoad, RIDL and Fallout by the researchers who discovered them. They follow in the footsteps of the Spectre and Meltdown vulnerabilities reported in 2018.
Analyse
The following is a table of the four CVEs associated with MDS attacks, which includes acronyms and associated names.
|
CVE |
Name |
Acronym |
Named Vulnerability |
|
CVE-2018-12126 |
Microarchitectural Store Buffer Data Sampling |
MSBDS |
Fallout |
|
CVE-2018-12127 |
Microarchitectural Load Port Data Sampling |
MLPDS |
RIDL |
|
CVE-2018-12130 |
Microarchitectural Fill Buffer Data Sampling |
MFBDS |
ZombieLoad |
|
CVE-2019-11091 |
Microarchitectural Data Sampling Uncacheable Memory |
MDSUM |
RIDL |
The MDS vulnerabilities all focus on the “sampling” of data from CPU buffers that reside between the processor and cache. The term “sampling” here can be described as eavesdropping on the buffers and capturing the data frequently.
ZombieLoad
CVE-2018-12130 or the “ZombieLoad” attack, is so named because the CPU “resurrects your private browsing history and other sensitive data,” which can be achieved by targeting the fill buffer (MFBDS) logic of the processor. In a demo video, the researchers behind ZombieLoad show how they are able to retrieve URLs accessed on a machine using the Tor Browser.
RIDL
RIDL is an acronym for “Rogue In-Flight Data Load,” which describes the leaking (or “sampling”) of in-flight data from the Line-Fill Buffers (MFBDS) and Load Ports (MLPDS) used by the CPU to load or store data from memory. The associated CVEs for RIDL are CVE-2018-12127, CVE-2019-11091, as well as overlap with CVE-2018-12130, which was discovered independently.
Researchers from VuSec have uploaded the following exploit demo videos showing successful attacks using RIDL vulnerabilities in three different scenarios:
RIDL leaking root password hash (over a 24-hour period):
RIDL leaking Linux kernel data:
RIDL from JavaScript:
Fallout
CVE-2018-12126, or the “Fallout” attack, was named by the researchers because “Fallouts are typically a direct consequence of Meltdowns,” indicating it is a follow-up to the Meltdown vulnerability. Fallout targets the Store Buffer (MSBDS), which is used by the CPU pipeline whenever it needs to store any data. What is most notable about this attack is that “an unprivileged attacker can then later pick which data they leak” from the Store Buffer. The researchers behind the discovery of Fallout say that despite the hardware countermeasures introduced to address Meltdown, the CPUs are now more vulnerable to attacks like Fallout.
Unlike ZombieLoad or RIDL, there do not appear to be any demo videos for Fallout at the time of publication for this blog.
Proof-of-Concept
Researchers have published proof-of-concept (PoC) code to Github for ZombieLoad, but there do not appear to be any PoCs for RIDL or Fallout at the time this blog was published.
Lösung
Intel has published a document with a list of planned or available microcode updates for different Intel CPUs, as well as a list of products where no microcode update will be provided. Intel has also stated that the MDS vulnerabilities are addressed in 8th and 9th Generation Intel Core processors and the 2nd Generation Intel Xeon Scalable processor family.
The following vendors have published advisories, knowledge base, support and FAQ articles detailing their efforts to address MDS for their operating systems, products and cloud-based services, including microcode and software updates:
- Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities
- Guidance for mitigating speculative execution side-channel vulnerabilities in Azure
- Apple: Additional mitigations for speculative execution vulnerabilities in Intel CPUs
- Google FAQ: Product Status: Microarchitectural Data Sampling (MDS)
- Red Hat: Vulnerability Response - Microarchitectural Data Sampling
- Ubuntu: Microarchitectural Data Sampling (MDS)
- Debian: DSA-4444-1 linux -- security update (MDS)
- SuSE: Security vulnerability: Microarchitectural Data Sampling (MDS)
- VMWare: VMSA-2019-0008 (MDS)
- AWS: Intel Quarterly Security Release (QSR) 2019.1
- Oracle: Intel Processor MDS Vulnerabilities
- Citrix: Microarchitectural data sampling security issues and mitigations
- IBM Addresses Reported Intel Security Vulnerabilities
Other vendors will likely follow up and provide patches in the coming weeks and months.
Identifizieren betroffener Systeme
A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.
Weitere Informationen
Verfolgen Sie die Beiträge des Security Response Team von Tenable in der Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Verwandte Artikel
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
- Vulnerability Management