Intel CPU MDS Vulnerabilities
Security researchers have disclosed details of four speculative execution side-channel vulnerabilities in all Intel x86 central processing unit (CPU) released since 2008.
Summary
Security researchers have disclosed details of four speculative execution side-channel vulnerabilities in all Intel x86 central processing unit (CPU) released since 2008.
Threat details
They claim that the Microarchitectural Data Sampling (MDS) vulnerabilities, collectively known as ZombieLoad, Rogue In-Flight Data Load (RIDL), Fallout and Store-to-Leak Forwarding (SLF), can be exploited to obtain sensitive information from an affected system.
Intel describes these MDS vulnerabilities in broadly similar terms to earlier cache-based vulnerabilities like Meltdown, but instead targeting buffers, physical memory locations where data is stored temporarily before being moved. Modern CPUs have a number of buffers, with the following three being affected by these vulnerabilities:
- Line fill buffers (LFB) - used to store previously unseen values before they are written to the L1 cache.
- Store buffers - used to store values before they are written to primary memory.
- Load port buffers - used to copy data from memory to registers.
ZombieLoad: By targeting LFB logic, it is possible to retrieve previous memory load operations from current and sibling processor threads before they are moved from the LFB. When combined with existing techniques, ZombieLoad can be leveraged to obtain data from other processes, virtual machines or the Intel Software Guard eXtension (SGX) secure enclave.
RIDL: Similarly to ZombieLoad, RIDL targets the LFB along with load port buffers, and can retrieve data from the kernel as well as other processes or secure enclaves.
Fallout: By exploiting an Intel CPU optimisation known as Write Transient Forwarding, which can incorrectly pass values through the store buffer for use by programs it is possible to obtain data that has been recently written from the kernel to user space. Fallout is able to bypass Kernel Address Space Layout Randomisation (KASLR).
SLF: At the time of publication, there is little information available regarding SLF, with only an abstract published, although it appears the store buffer is again targeted.
At the time of publication it appears that only Intel CPU products are affected by these vulnerabilities.
For further information:
- CVE-2018-12126
- CVE-2018-12127
- CVE-2018-12130
- CVE-2019-11091
- ZombieLoad: Cross-Privilege-Boundary Data Sampling white paper (Schwarz et al, 2019)
- RIDL: Rogue In-Flight Data Load white paper (van Schaik et al, 2019)
- Fallout: Reading Kernel Writes From User Space white paper (Minkin et al, 2019)
- Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs abstract (Schwarz et al, 2019)
- ZombieLoad Attack site
- RIDL and Fallout: MDS attacks site
Remediation steps
| Type | Step |
|---|---|
|
Intel have partially addressed these vulnerabilities with new microcode patches, which have now been provided to their vendors for integration with their own platforms. However, it appears unlikely that full software-based mitigation of these vulnerabilities is possible. Organisations should contact their relevant suppliers to obtain these patches and apply them immediately. Intel have also suggested disabling simultaneous multi-threading (SMT) as a workaround if patches cannot be applied. As with the Meltdown and Spectre vulnerabilities, patches should be applied with the following priorities:
All other systems should be patched using your standard process. A list of vendor information and guidance is given below. Note: this list may not be current or comprehensive.
Update Microsoft has released microcode updates to partially address MDS vulnerabilities in older versions of Windows 10. Users and administrators are encouraged to apply the following updates when possible:
|
Last edited: 14 February 2020 2:50 pm