09 May 2019
“Zombieload” vulnerabilities of the microarchitectural data sampling (MDS) variety have been discovered by researchers Michael Schwarz, Moritz Lipp, and Daniel Gruss at Graz University of Technology in Austria, as well as Jo Van Bulk at Belgium’s KU Leuven. These latest flaws in Intel processors can be utilized by attackers to steal private data from PCs and servers, cloud environments, and virtual machines.
Researchers say that any Intel Core or Xeon CPU released after 2011 is vulnerable. “ZombieLoad is a novel category of side-channel attacks,” said the researchers in their blog post, “which we refer to as data-sampling attack. While programs normally only see their own data, a malicious program can exploit the fill buffers to get hold of secrets currently processed by other running programs. These secrets can be user-level secrets, such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys.”
The four vulnerabilities that comprise ZombieLoad are:
CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS)
CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS)
CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
Red Hat released a security alert that warns the flaw is particularly dangerous on public clouds running untrusted workloads in shared-tenancy environments, and the flaw applies to users of Andoird, Chrome, iOS, Linux, MacOS, and Windows operating systems. While the Intel patches released help prevent the vulnerabilities from being exploited, the only way to truly block an attack is to disable hyperthreading. Unfortunately, disabling hyperthreading may reduce processor performance by up to 9 percent, particularly in some cloud environments.
“Some current processors and future processors will have microarchitectural data sampling methods mitigated in the hardware,” Intel says. “For processors that are affected, the mitigation for microarchitectural data sampling issues includes overwriting store buffers, fill buffers, and load ports before transitioning to possibly less-privileged code.”
Whether Zombieland vulnerabilities have been utilized in the wild is not known. Amazon and Google have already applied patches to their cloud environments. Apple included the fixes as part of their Mojave and Safari updates.