Threat Response: Multiple Intel CPU vulnerabilities

15-05-2019

Tuesday, 14th of May 2019 a number of new Intel CPU vulnerabilities were published. This regards three items:

  • RIDL – Rogue In Flight Data Load – discovered by researchers of the VU [1].
  • Fallout – discovered by a team of researchers from multiple universities, amongst others the KU Leuven [2].
  • ZombieLoad – discovered by researchers of Graz [3].

These vulnerabilities all work in similar ways. Intel has summarized them as Microarchitectural Data Sampling, or MDS. Most modern Intel CPUs are vulnerable.

Description

These vulnerabilities concern so-called side-channel attacks, similar to the SPECTRE and MELTDOWNvulnerabilities of 2018. A side-channel attack is an attack where processes running on a computer can read or infer information from the CPU or the memory, by timing operations and checking for minor discrepancies. This information cannot be directly accessed. Some possible discrepancies that could be monitored are power consumption, execution times and in some cases even sound waves.

For the current set of MDS vulnerabilities, speculative execution is abused to read information that a process should not be able to read. Speculative execution is a technique used by Intel to preload data into buffers, before a process actually asked for it. The processor speculates what information might be requested. If this data is not requested after all, the buffer will be cleared and the actual information requested will be loaed instead. Because this data is faster to read than information that has not been preloaded, attackers can use timing differences to guess the contents of the buffers. In contrast to the SPECTRE and MELTDOWN vulnerabilities, these new vulnerabilities can cross so-calledsecurity boundaries. This means that in – for example – a situation with multiple virtual machines, one virtual machine can read information from another virtual machine, as long as they run on the same processor.

Attackers do not have control of what is in these buffers. They have to make use of sampling; many measurements must be taken before enough useful information is gained. An example that has been given by research is to read the encrypted password of a user; this took about 24 hours. This was while the targeted system was made to run the passwd command over and over again, so the possibility that a buffer contained information from the password shadow file was high enough.

In order for this attack to work, the attackers need to be able to execute code on the same processor as the intended victim. This can be done by e.g. running JavaScript in the browser of an intended victim, but this is also something that can occur when making use of shared hosting.

The following CVEs have been published, related to these vulnerabilities:

  • CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS) – CVSS score 6.5: Medium, Fallout
  • CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS) – CVSS score 6.5: Medium,  RIDL
  • CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS) – CVSS score 6.5: Medium, RIDL en ZombieLoad
  • CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM) – CVSS score 3.8: Low, RIDL

Risk

Northwave assesses the severity of these vulnerabilites as medium. Although the potential impact is quite high, the attack itself is complex to perform. Patches and mitigations are already available. For a list of impacted CPUs, please refer to Intel: [4] en [5].

Mitigation

Intel has, in collaboration with vendors like Microsoft, Apple and VMWare, supplied patches for these vulnerabilities. Northwave advises to install these patches. Additionally, the researchers recommend to disable Simultaneous MultiThreading (SMT), which is also known as HyperThreading. However, this will result in a performance penalty for these processors. It is important to make a proper assessment of this performance penalty before additionally disabling SMT.

An overview of information as supplied by various vendors:

If you need additional information you can call us by phone or send us an email.

Phone number: 030-3031244 (during business hours)
E-mail: soc@northwave.nl

Do you have an incident right now? Call our CERT number: 0800-2255 2747

Sources

[1]: RIDL paper: https://mdsattacks.com/files/ridl.pdf

[2] Fallout paper: https://mdsattacks.com/files/fallout.pdf

[3] ZombieLoad paper: https://zombieloadattack.com/zombieload.pdf

[4] Intel security advisory: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html

[5] List of impacted CPUs: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf

 

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.