ZombieLoad, RIDL, and Fallout - Microarchitectural Data Sampling vulnerabilities

Intel published this Tuesday on 14th of May a new class of vulnerabilities which are related to the already year-old speculative execution attacks. The newly-disclosed Microarchitectural Data Sampling (MDS) hardware vulnerabilities were found independently by multiple teams and are affecting most modern Intel CPUs.

Microarchitectural Data Sampling (MDS) vulnerabilities

Currently reported vulnerabilities called ZombieLoad, RIDL, and Fallout, as well as a fourth unnamed exploit, take advantage of the speculative execution attacks to allow attackers to leak private data across arbitrary security boundaries on a victim system. Intel has collectively titled these attacks as Microarchitectural Data Sampling, or MDS, side-channel vulnerabilities. Unlike existing attacks, the new line of attacks can leak arbitrary in-flight data from CPU-internal buffers: Line Fill Buffers, Load Ports, Store Buffers, including data never stored in CPU caches. While MDS is related to the previous speculative execution attacks Specter and Meltdown, in contrast, it does not need to make assumptions about the memory layout in the target data and does not depend on the processor cache. Leveraging these vulnerabilities, attackers who can run unprivileged code on the victim's system with an affected Intel CPU, are able to steal data from other programs running on the same machine. According to the researchers, the attack can target shared cloud computing resources as well as personal computers via malicious JavaScript served by infected websites or advertisements. Fortunately, like with the previous speculative execution vulnerabilities, there is no way to make targeted attacks against specific data or virtual machine. This is due to the guest servers having no way to choose which physical CPU core they use. A total of 4 MDS related CVEs have been assigned by Intel for the exploits: [MFBDS] CVE-2018-12130, [MLPDS] CVE-2018-12127, [MDSUM] CVE-2019-11091 and [MSBDS] CVE-2018-12126.

Mitigation in works

We learned of the new vulnerabilities as they were published and immediately began validating available mitigation methods. Intel has already provided CPU microcode updates and recommendations for mitigation strategies for operating systems and hypervisor software. We are working to apply these updates across our infrastructure while also exploring other options for further mitigation. The security updates will not cause interruptions to our users. According to the researchers, it's recommended to disable Simultaneous Multi-Threading (SMT), also known as Intel Hyper-Threading Technology. This is reported to significantly reduce the impact of MDS-based attacks without the cost of more complex mitigations. While Hyper-Threading can improve system performance in certain workloads, we are disabling it on all hosts that were still using it to mitigate the vulnerabilities. These new attacks are able to violate the kernel privacy by extracting information from within it. Moreover, attackers using these vulnerabilities could expose the kernel's location in the system's memory, simplifying other exploits. Therefore, we highly recommend all our users to keep their cloud servers up to date on security updates provider for your operating system vendor. We are also upgrading our public templates to make sure all future deployments include the latest security updates to mitigate these attacks. Should you have any further questions, please don’t hesitate to contact us.

More information:

• https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-microarchitectural-data-sampling
• https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling