Threat Intelligence Report: Intel Processor MDS Vulnerabilities – (ZombieLoad)

Date: 15/MAY/2019

Summary: Intel has published information about a new subclass of speculative execution side channel vulnerabilities known as Microarchitectural Data Sampling (MDS). These attacks are similar to the Spectre, Meltdown, and Foreshadow vulnerabilities widely reported in 2018.

An attacker who successfully exploited these vulnerabilities may be able to read privileged data across trust boundaries. • In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. • In standalone systems, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities.

Tactics, techniques and procedures: MDS is a sub-class of previously disclosed speculative execution side channel vulnerabilities and is comprised of four related techniques. Under certain conditions, MDS provides a program the means to read confidential data.

MDS techniques are based on a sampling of data leaked from small structures within the CPU using a locally executed speculative execution side channel. Practical exploitation of MDS is a very complex undertaking. MDS does not, by itself, provide an attacker with a way to choose the data that is leaked.

MDS is addressed in hardware starting with select 8th and 9th Generation Intel Core processors, as well as the 2nd Generation Intel Xeon Scalable processor family.

Conclusions: Exploiting the MDS vulnerabilities outside the controlled conditions of a research environment is a complex task. MDS vulnerabilities have been classified as low to medium severity per the industry standard Common Vulnerability Scoring System (CVSS), since there are no reports of any of these vulnerabilities being exploited.

Firmware (microcode) and software updates are required to mitigate the risk of these attacks.

Microsoft has released software updates to help mitigate these vulnerabilities, in the form of Windows OS, HoloLens and SQL Server updates; but have also cautioned that microcode updates from their either Intel or OEMs will also be required. Of particular note however is that In some cases installing these updates will have a material performance impact.

Common Vulnerabilities and Exposures: These vulnerabilities are known as:

CVE-2018-12126 – Microarchitectural Store Buffer Data Sampling (MSBDS)  CVE-2018-12130 – Microarchitectural Fill Buffer Data Sampling (MFBDS) CVE-2018-12127 – Microarchitectural Load Port Data Sampling (MLPDS) CVE-2019-11091 – Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

Advice: We advise that all operating system security updates are applied promptly. Unfortunately, at the time of writing, Microsoft said that Intel CPU microcode updates are not yet available for the following systems: o Windows 10 Version 1803 for x64-based Systems o Windows Server, version 1803 (Server Core Installation) o Windows 10 Version 1809 for x64-based Systems o Windows Server 2019 o Windows Server 2019 (Server Core installation) Apple and the Linux project are expected to have operating system updates roll out in the coming days.

Firmware updates however may have a material impact on system performance, and we advise organisations to carefully assess the risk posed by the vulnerabilities and weigh this against the benefit of current system performance to make a risk based decision on whether to fully mitigate the vulnerabilities by applying fixes to processors.

Finally, we advise organisations using cloud environments to perform due diligence on cloud providers to ensure data is not exposed by these vulnerabilities.

Leave a Reply