Microarchitectural Data Sampling: Speculative Execution Side-Channel Vulnerabilities Found in Intel CPUs
Researchers disclose speculative execution side-channel attacks named ZombieLoad, RIDL and Fallout in Intel Central Processing Units (CPUs).
Background
On May 14, public disclosures from multiple research groups regarding a new set of speculative execution side-channel vulnerabilities in Intel CPUs were published, along with software updates from various operating system, virtualization and cloud vendors. The vulnerabilities, independently discovered but collectively referred to as Microarchitectural Data Sampling (or MDS) attacks, are also individually named ZombieLoad, RIDL and Fallout by the researchers who discovered them. They follow in the footsteps of the Spectre and Meltdown vulnerabilities reported in 2018.
Analisi
The following is a table of the four CVEs associated with MDS attacks, which includes acronyms and associated names.
|
CVE |
Name |
Acronym |
Named Vulnerability |
|
CVE-2018-12126 |
Microarchitectural Store Buffer Data Sampling |
MSBDS |
Fallout |
|
CVE-2018-12127 |
Microarchitectural Load Port Data Sampling |
MLPDS |
RIDL |
|
CVE-2018-12130 |
Microarchitectural Fill Buffer Data Sampling |
MFBDS |
ZombieLoad |
|
CVE-2019-11091 |
Microarchitectural Data Sampling Uncacheable Memory |
MDSUM |
RIDL |
The MDS vulnerabilities all focus on the “sampling” of data from CPU buffers that reside between the processor and cache. The term “sampling” here can be described as eavesdropping on the buffers and capturing the data frequently.
ZombieLoad
CVE-2018-12130 or the “ZombieLoad” attack, is so named because the CPU “resurrects your private browsing history and other sensitive data,” which can be achieved by targeting the fill buffer (MFBDS) logic of the processor. In a demo video, the researchers behind ZombieLoad show how they are able to retrieve URLs accessed on a machine using the Tor Browser.
RIDL
RIDL is an acronym for “Rogue In-Flight Data Load,” which describes the leaking (or “sampling”) of in-flight data from the Line-Fill Buffers (MFBDS) and Load Ports (MLPDS) used by the CPU to load or store data from memory. The associated CVEs for RIDL are CVE-2018-12127, CVE-2019-11091, as well as overlap with CVE-2018-12130, which was discovered independently.
Researchers from VuSec have uploaded the following exploit demo videos showing successful attacks using RIDL vulnerabilities in three different scenarios:
RIDL leaking root password hash (over a 24-hour period):
RIDL leaking Linux kernel data:
RIDL from JavaScript:
Fallout
CVE-2018-12126, or the “Fallout” attack, was named by the researchers because “Fallouts are typically a direct consequence of Meltdowns,” indicating it is a follow-up to the Meltdown vulnerability. Fallout targets the Store Buffer (MSBDS), which is used by the CPU pipeline whenever it needs to store any data. What is most notable about this attack is that “an unprivileged attacker can then later pick which data they leak” from the Store Buffer. The researchers behind the discovery of Fallout say that despite the hardware countermeasures introduced to address Meltdown, the CPUs are now more vulnerable to attacks like Fallout.
Unlike ZombieLoad or RIDL, there do not appear to be any demo videos for Fallout at the time of publication for this blog.
Proof of concept
Researchers have published proof-of-concept (PoC) code to Github for ZombieLoad, but there do not appear to be any PoCs for RIDL or Fallout at the time this blog was published.
Solution
Intel has published a document with a list of planned or available microcode updates for different Intel CPUs, as well as a list of products where no microcode update will be provided. Intel has also stated that the MDS vulnerabilities are addressed in 8th and 9th Generation Intel Core processors and the 2nd Generation Intel Xeon Scalable processor family.
The following vendors have published advisories, knowledge base, support and FAQ articles detailing their efforts to address MDS for their operating systems, products and cloud-based services, including microcode and software updates:
- Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities
- Guidance for mitigating speculative execution side-channel vulnerabilities in Azure
- Apple: Additional mitigations for speculative execution vulnerabilities in Intel CPUs
- Google FAQ: Product Status: Microarchitectural Data Sampling (MDS)
- Red Hat: Vulnerability Response - Microarchitectural Data Sampling
- Ubuntu: Microarchitectural Data Sampling (MDS)
- Debian: DSA-4444-1 linux -- security update (MDS)
- SuSE: Security vulnerability: Microarchitectural Data Sampling (MDS)
- VMWare: VMSA-2019-0008 (MDS)
- AWS: Intel Quarterly Security Release (QSR) 2019.1
- Oracle: Intel Processor MDS Vulnerabilities
- Citrix: Microarchitectural data sampling security issues and mitigations
- IBM Addresses Reported Intel Security Vulnerabilities
Other vendors will likely follow up and provide patches in the coming weeks and months.
Identifying affected systems
A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Articoli correlati
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
August 14, 2024Ivanti released a patch for a critical severity authentication bypass vulnerability and a warning that exploit code is publicly available
CVE-2024-20419: Cisco Smart Software Manager On-Prem Password Change Vulnerability
August 9, 2024Critical vulnerability in Cisco Smart Software Manager On-Prem exposes systems to unauthorized password changes, exploit code now available.BackgroundOn July 17, 2024, Cisco published an advisory for ...
Detecting Risky Third-party Drivers on Windows Assets
August 7, 2024Kernel-mode drivers are critical yet risky components of the Windows operating system. Learn about their functionality, the dangers they pose, and how Tenable's new plugins can help identify and mitigate vulnerabilities using community-driven resources like LOLDrivers.
SSRFing the Web with the Help of Copilot Studio
August 20, 2024Tenable Research discovered a critical information-disclosure vulnerability in Microsoft’s Copilot Studio via a server-side request forgery (SSRF), which allowed researchers access to potentially sensitive information regarding service internals with potential cross-tenant impact.
Cybersecurity Snapshot: First Quantum-resistant Algorithms Ready for Use, While New AI Risks’ Database Is Unveiled
August 16, 2024NIST has released the first encryption algorithms that can protect data against quantum attacks. Plus, MIT launched a new database of AI risks. Meanwhile, the CSA published a paper outlining the unique risks involved in building systems that use LLMs. And get the latest on Q2’s most prevalent malware, the Radar/Dispossessor ransomware gang and CVE severity assessments!
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
August 14, 2024Ivanti released a patch for a critical severity authentication bypass vulnerability and a warning that exploit code is publicly available
- Vulnerability Management