Academics have discovered a new class of vulnerabilities in Intel processors that can allow attackers to retrieve data being processed inside a CPU.
The leading attack in this new vulnerability class is a security flaw named Zombieload, which is another side-channel attack in the same category as Meltdown, Spectre, and Foreshadow.
New attack on speculative execution
Just like the first three, Zombieload is exploited by taking advantage of the speculative execution process, which is an optimization technique that Intel added to its CPUs to improve data processing speeds and performance.
For more than a year, academics have been poking holes in various components of the speculative execution process, revealing ways to leak data from various CPU buffer zones and data processing operations. Meltdown, Spectre, and Foreshadow have shown how various CPU components leak data during the speculative execution process.
Today, an international team of academics -- including some of the people involved in the original Meltdown and Spectre research -- along with security researchers from Bitdefender have disclosed a new attack impacting the speculative execution process.
This one is what researchers have named a Microarchitectural Data Sampling (MDS) attack, and targets a CPU's microarchitectural data structures, such as the load, store, and line fill buffers, which the CPU uses for fast reads/writes of data being processed inside the CPU. These are smaller-sized caches that are used alongside the main CPU cache.
By exploiting normal speculative execution operations that work within these microarchitectural structures, an MDS attack can infer data that is being processed in the CPU by other apps, to which an attacker shouldn't normally have access to.
Academics have discovered four such MDS attacks, targeting store buffers (CVE-2018-12126 aka Fallout), load buffers (CVE-2018-12127), line fill buffers (CVE-2018-12130, aka the Zombieload attack, or RIDL), and uncacheable memory (CVE-2019-11091) --with Zombieload being the most dangerous of all because it can retrieve more information than the others.
There are both good news and bad news in regards to Zombieload and fellow MDS attacks.
The bad news
In several research papers published today, academics say that all Intel CPUs released since 2011 are most likely vulnerable.
Processors for desktops, laptops, and (cloud) servers are all impacted, researchers said on a special website they've set up with information about the Zombieload flaws.
Several YouTube demos [1, 2, 3] showed just how deadly MDS attacks can be, with researchers employing in one case a Zombieload attack to monitor websites that a user was visiting using a privacy-protecting Tor Browser running inside a virtual machine.
What this means is that malware capable of carrying out a Zombieload attack can effectively break all privacy protections that exist between apps, similar to how both Meltdown and Spectre broke those lines, but via other vulnerabilities in the speculative execution process.
The good news
But things aren't as bleak as they were when Meltdown and Spectre were first disclosed in January 2018. For starters, Intel hasn't been caught with its pants down like the last time, and the company has already shipped microcode updates.
Furthermore, newer processors aren't impacted, as they already include protections against speculative execution attacks --such as the MDS attacks-- since last year when Meltdown and Spectre first hit, and Intel modified the way its CPU's worked.
In addition, Microsoft, Apple, and the Linux project are expected to have operating system updates roll out later today, or in the coming days.
"Microarchitectural Data Sampling (MDS) is already addressed at the hardware level in many of our recent 8th and 9th Generation Intel Core processors, as well as the 2nd Generation Intel Xeon Scalable Processor Family," Intel told ZDNet via email last week.
"For other affected products, mitigation is available through microcode updates, coupled with corresponding updates to operating system and hypervisor software that are available starting today."
Furthermore, in its own technical paper on the MDS attacks, Intel also points out other issues with this attack that makes it highly unlikely that Zombieload and its two brethren flaws would ever be used in a real-world scenario:
- These structures are much smaller than the first level data cache (L1D), and therefore hold less data and are overwritten more frequently.
- As with other speculative execution side channels, exploiting these vulnerabilities outside of a laboratory environment is extremely complex relative to other methods that attackers have at their disposal.
- It is also more difficult to use MDS attacks to infer data that is associated with a specific memory address, which may require the malicious actor to collect significant amounts of data to analyze and locate any secret data.
- Only recently accessed data can be leaked with one of these MDS attacks.
- Turning off hyperthreading prevents attacks.
The best course of action right now is to apply all the patches that will be released later today. Additional reading material is available below (some links will be added as they become public):
Website dedicated to all MDS attacks
Zombieload research paper
Bitdefender technical paper
Intel on MDS attacks
Intel security updates
PDF file listing all MDS-vulnerable Intel CPUs
Windows, Mac, Linux, Red Hat, and Google products security updates
Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security
More vulnerability reports:
- 'Unhackable' eyeDisk flash drive exposes passwords in clear text
- Security flaws in 100+ Jenkins plugins put enterprise networks at risk
- Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gear
- Over 25,00 smart Linksys routers are leaking sensitive data
- Alpine Linux Docker images ship a root account with no password
- Over two million IoT devices vulnerable because of P2P component flaws
- KRACK attack: Here's how companies are responding CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic