Intel, industry scramble to mitigate ZombieLoad side-channel processor vulnerability

Four new CVEs that combine to create a vulnerability called ZombieLoad
affecting Intel processors were made public today, which if left unpatched
could leave a computer open to a side-channel attack allowing someone to bypass
protections to read memory.

The flaws, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130,
CVE-2019-11091, impacted a number of companies with Apple, Google, Microsoft and
Amazon Web Services issuing updates. ZombieLoad, more formally known as microarchitectural
data sampling, can leak a variety of information.

Intel posted today the problems were first identified by the
company’s internal researchers, partners and independently reported by external
researchers. MDS is a sub-class of previously disclosed speculative execution
side channel vulnerabilities and is comprised of four related techniques.”

“Attacks exploiting these vulnerabilities could expose
potentially sensitive data, from payment information to customer records, on
nearly any computer, mobile device or cloud deployment,” said Denise Dumas,
vice president, Operating System Platform at Red Hat.

According to Red Hat:

• CVE-2018-12126 is a flaw that could lead to
  information disclosure from the processor store buffer.
• CVE-2018-12127 is an exploit of the
  microprocessor load operations that can provide data to an attacker about CPU
  registers and operations in the CPU pipeline.
• CVE-2018-12130 is the most serious of the three
  issues and involved the implementation of the microprocessor fill buffers and
  can expose data within that buffer.
• CVE-2019-11091 is a flaw in the implementation of
  the “fill buffer,” a mechanism used by modern CPUs when a cache-miss
  is made on L1 CPU cache.

All the CVEs can be corrected through the application of
updated CPU microcode, kernel patches, and disabling Hyper-Threading, although
disabling the latter can cause processor performance issues.

Intel
said for products where MDS is not addressed in hardware, it is releasing
processor microcode updates (MCU) as part of our regular update process with
OEMs. These are coupled with corresponding updates to operating system and
hypervisor software. When these mitigations are enabled, minimal performance
impacts are expected for the majority of PC client application based
benchmarks.

Apple
support reported it a has released security updates in macOS Mojave 10.14.5 to
protect against speculative execution vulnerabilities in Intel CPUs and that
the issues addressed by these security updates do not affect Apple iOS devices
or Apple Watch.

Google
said it has taken steps to mitigate the problem in its product line, including
search, YouTube, Google Ads products, Maps, Blogger and Android.

Microsoft
rolled out its patches as part of its normal monthly Patch Tuesday offering and
added it has no information if the vulnerabilities have been exploited in the
wild.

AWS
said it has designed and implemented its infrastructure with protections
against these types of bugs, and has also deployed additional protections for
MDS. All EC2 host infrastructure has been updated with these new protections,
and no customer action is required at the infrastructure level.

“This bug is new but it is similar to Spectre and Meltdown
because the bug can be used to leak data from one security context to another
via the CPU. This means the risk is to systems running code from different
users. This is typical in cloud environments where multiple customers share the
same CPU but another case is browsers running untrusted JavaScript. A malicious
website could compromise private data on a system that renders a page with
malicious JavaScript,” Chris Wysopal, Veracode’s CTO.

Comments are closed.