Intel CPU vulnerabilities could be used in MDS attacks
The MDS attacks almost all involve the speculative execution design feature found in all modern processors.
On May 14, a new class of Intel CPU vulnerabilities was published by the microchip giant. Known as speculative execution side-channel vulnerabilities, they affect almost every Intel processor produced since 2011 – this includes a great number of servers, laptops, and smartphones. Crucially, its virtual machines on the public cloud are also impacted by these vulnerabilities.
What are the new Intel CPU Vulnerabilities?
The Intel CPU vulnerabilities — dubbed as MDS attacks (microarchitectural data sampling) — almost all involve the speculative execution design feature found in all modern processors. The vulnerabilities could leak arbitrary data from different CPU internal buffers: line fill buffers, load ports or store buffers.
They include:
- CVE-2018-12126 a.k.a. Fallout attack. It’s “just” an information disclosure vulnerability at the MSBDS (microarchitectural store buffer data sampling). Fallout is rated as medium severity, with CVSS score of 6.5, as it requires local access and privileges.
- CVE-2018-12130 aka Zombieload or RIDL (rogue in-flight data load): Again, this is “just” an information disclosure vulnerability at the MFBDS (microarchitectural fill buffer data sampling). It’s also rated medium severity, with CVSS score of 6.5.
- CVE-2018-12127: Part of the RIDL class of attacks, this vulnerability exists in the MLPDS (microarchitectural load port data sampling).
- CVE-2019-11091: Also part of the RIDL class of attacks, it exists in the MDSUM (microarchitectural data sampling uncacheable memory). It’s an information disclosure vulnerability, rated low severity with CVSS score of 3.8.
This is the fourth batch of CPU vulnerabilities published in just over a year. The original Meltdown and Spectre CPU flaws were published in January 2018, with new similar vulnerabilities popping up in August 2018and November 2018. If this six-month drumbeat keeps up the pace, it’s possible that we’ll see the next wave hit in November 2019.
Is This the Work of Cyber Criminals?
If everything you’ve read so far sounds technically dense, that’s because it is. These vulnerabilities are primarily theoretical – they were discovered by academics and, to our knowledge, haven’t yet been exploited in the wild in either distributed or targeted attacks.
While they may not have yet been touched by criminals, researchers have published a proof-of-concept exploit which demonstrates how the CPUs can leak sensitive data which has been written to the memory by the OS kernel, including root passwords hash.
What Should Skybox Customers Do?
It’s important to recognize that a logic flaw in a CPU isn’t the same as a software, or other, vulnerability. Short of changing your CPU, there’s little that you can do to fully resolve these vulnerabilities. Of course, doing so would be as impractical as it would be expensive. Like the Intel CPU vulnerabilities, this is a solution that exists better in theory than it does in practice.
What we’re left with instead are numerous mitigation strategies which emerge from collaborative work between CPU vendors (like Intel) and platform vendors (like Microsoft). What businesses need to do is gain and maintain awareness of any patches created and shared by the vendors and ensure that they are applied to all relevant platforms.
This advice is well-established as industry “best-practice,” but in respect of these speculative execution side-channel vulnerabilities, we would suggest going one step further by increasing the frequency of your patch windows. Don’t stick to your regular schedule — these vulnerabilities need to be prioritized.
In this instance, Intel’s initial recommendation was that users should, “always keep [their] systems up-to-date with the latest security updates, and follow the guidance from your OS and VMM vendors”. Which is good general advice, if the patches are available (at the time that advice was published, they weren’t; now, almost a week later, they are).
The following patches were published in a coordinated release:
- Microsoft, patching Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows Server 2012 R2, Windows 10, Windows Server 2016 and Windows Server 2019.
- VMWare, patching ESXi server, VMWare workstation, Fusion, vCloud servers, vCenter Server, and many other servers.
- RedHat, patching the Linux Kernel for Enterprise Linux Server, Enterprise Linux Workstation, Enterprise Linux Virtualisation, and others.
- Apple MacOS X servers (a patch for iOS was not released as of May 21, 2019)
- Qemu, the open source machine emulator and virtualizer
- Xen, hypervisor OS
- Google Chrome OS for netbooks