Microarchitectural Data Sampling: Speculative Execution Side-Channel Vulnerabilities Found in Intel CPUs
Researchers disclose speculative execution side-channel attacks named ZombieLoad, RIDL and Fallout in Intel Central Processing Units (CPUs).
Background
On May 14, public disclosures from multiple research groups regarding a new set of speculative execution side-channel vulnerabilities in Intel CPUs were published, along with software updates from various operating system, virtualization and cloud vendors. The vulnerabilities, independently discovered but collectively referred to as Microarchitectural Data Sampling (or MDS) attacks, are also individually named ZombieLoad, RIDL and Fallout by the researchers who discovered them. They follow in the footsteps of the Spectre and Meltdown vulnerabilities reported in 2018.
분석
The following is a table of the four CVEs associated with MDS attacks, which includes acronyms and associated names.
|
CVE |
Name |
Acronym |
Named Vulnerability |
|
CVE-2018-12126 |
Microarchitectural Store Buffer Data Sampling |
MSBDS |
Fallout |
|
CVE-2018-12127 |
Microarchitectural Load Port Data Sampling |
MLPDS |
RIDL |
|
CVE-2018-12130 |
Microarchitectural Fill Buffer Data Sampling |
MFBDS |
ZombieLoad |
|
CVE-2019-11091 |
Microarchitectural Data Sampling Uncacheable Memory |
MDSUM |
RIDL |
The MDS vulnerabilities all focus on the “sampling” of data from CPU buffers that reside between the processor and cache. The term “sampling” here can be described as eavesdropping on the buffers and capturing the data frequently.
ZombieLoad
CVE-2018-12130 or the “ZombieLoad” attack, is so named because the CPU “resurrects your private browsing history and other sensitive data,” which can be achieved by targeting the fill buffer (MFBDS) logic of the processor. In a demo video, the researchers behind ZombieLoad show how they are able to retrieve URLs accessed on a machine using the Tor Browser.
RIDL
RIDL is an acronym for “Rogue In-Flight Data Load,” which describes the leaking (or “sampling”) of in-flight data from the Line-Fill Buffers (MFBDS) and Load Ports (MLPDS) used by the CPU to load or store data from memory. The associated CVEs for RIDL are CVE-2018-12127, CVE-2019-11091, as well as overlap with CVE-2018-12130, which was discovered independently.
Researchers from VuSec have uploaded the following exploit demo videos showing successful attacks using RIDL vulnerabilities in three different scenarios:
RIDL leaking root password hash (over a 24-hour period):
RIDL leaking Linux kernel data:
RIDL from JavaScript:
Fallout
CVE-2018-12126, or the “Fallout” attack, was named by the researchers because “Fallouts are typically a direct consequence of Meltdowns,” indicating it is a follow-up to the Meltdown vulnerability. Fallout targets the Store Buffer (MSBDS), which is used by the CPU pipeline whenever it needs to store any data. What is most notable about this attack is that “an unprivileged attacker can then later pick which data they leak” from the Store Buffer. The researchers behind the discovery of Fallout say that despite the hardware countermeasures introduced to address Meltdown, the CPUs are now more vulnerable to attacks like Fallout.
Unlike ZombieLoad or RIDL, there do not appear to be any demo videos for Fallout at the time of publication for this blog.
Proof of concept
Researchers have published proof-of-concept (PoC) code to Github for ZombieLoad, but there do not appear to be any PoCs for RIDL or Fallout at the time this blog was published.
Solution
Intel has published a document with a list of planned or available microcode updates for different Intel CPUs, as well as a list of products where no microcode update will be provided. Intel has also stated that the MDS vulnerabilities are addressed in 8th and 9th Generation Intel Core processors and the 2nd Generation Intel Xeon Scalable processor family.
The following vendors have published advisories, knowledge base, support and FAQ articles detailing their efforts to address MDS for their operating systems, products and cloud-based services, including microcode and software updates:
- Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities
- Guidance for mitigating speculative execution side-channel vulnerabilities in Azure
- Apple: Additional mitigations for speculative execution vulnerabilities in Intel CPUs
- Google FAQ: Product Status: Microarchitectural Data Sampling (MDS)
- Red Hat: Vulnerability Response - Microarchitectural Data Sampling
- Ubuntu: Microarchitectural Data Sampling (MDS)
- Debian: DSA-4444-1 linux -- security update (MDS)
- SuSE: Security vulnerability: Microarchitectural Data Sampling (MDS)
- VMWare: VMSA-2019-0008 (MDS)
- AWS: Intel Quarterly Security Release (QSR) 2019.1
- Oracle: Intel Processor MDS Vulnerabilities
- Citrix: Microarchitectural data sampling security issues and mitigations
- IBM Addresses Reported Intel Security Vulnerabilities
Other vendors will likely follow up and provide patches in the coming weeks and months.
Identifying affected systems
A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
관련 기사
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Cybersecurity Snapshot: Latest MITRE ATT&CK Update Offers Security Insights on GenAI, Identity, Cloud and CI/CD
April 26, 2024Check out what’s new in Version 15 of the MITRE ATT&CK knowledge base of adversary tactics, techniques and procedures. Plus, learn the latest details about the Change Healthcare breach, including the massive scope of the data exfiltration. In addition, why AI cyberthreats aren’t impacting CISOs’ budgets. And much more!
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
- Vulnerability Management