New Class of Vulnerabilities Leak Data From Intel Chips
Millions of computers powered by Intel processors are affected by vulnerabilities that can be exploited by malicious actors to obtain potentially sensitive information. Intel and other tech giants have already released patches and mitigations.
The side-channel attack methods, named ZombieLoad, RIDL (Rogue In-Flight Data Load), and Fallout, are similar to the notorious Meltdown and Spectre, which researchers first disclosed in January 2018. At the time, experts accurately predicted that other similar speculative execution attacks would be discovered.
The attack methods work against both PCs and cloud environments, and they can be launched against most Intel CPUs made in the past decade. The techniques can be used to get applications, the operating system, virtual machines and trusted execution environments to leak information, including passwords, website content, disk encryption keys and browser history.
For example, experts have demonstrated that hackers can use the ZombieLoad attack, which is a subclass of RIDL, to obtain a user’s browsing history even if the victim surfs the web from a virtual machine and uses the Tor anonymity network.
The Fallout method is mostly useful for determining the operating system’s memory position, which researchers say strengthens the other attacks.
Researchers warned that it may be difficult for cybersecurity software to detect attacks, and exploitation of the flaws might not leave any traces in log files. For the time being, there is no evidence of malicious attacks and experts believe the flaws are more likely to be exploited in highly targeted operations.
Intel said the vulnerabilities were first identified by its own researchers and partners, and later independently reported by others, including experts who discovered the original Meltdown and Spectre vulnerabilities. The company has credited researchers from the University of Michigan, Worcester Polytechnic Institute, Graz University of Technology, imec-DistriNet, KU Leuven, University of Adelaide, Microsoft, the VUSec group at VU Amsterdam, Bitdefender (which published its own paper), Oracle, and Qihoo 360.
A timeline published by researchers shows that Intel started receiving reports about the weaknesses in June 2018.
The flaws, described by intel as Microarchitectural Data Sampling (MDS), have been assigned the following names and CVE identifiers: Microarchitectural Store Buffer Data Sampling (MSBDS, CVE-2018-12126), Microarchitectural Load Port Data Sampling (MLPDS, CVE-2018-12127), Microarchitectural Fill Buffer Data Sampling (MFBDS, CVE-2018-12130), and Microarchitectural Data Sampling Uncacheable Memory (MDSUM, CVE-2018-11091).
“Under certain conditions, MDS provides a program the potential means to read data that program otherwise would not be able to see,” Intel said. “MDS techniques are based on a sampling of data leaked from small structures within the CPU using a locally executed speculative execution side channel. Practical exploitation of MDS is a very complex undertaking. MDS does not, by itself, provide an attacker with a way to choose the data that is leaked.”
Intel has calculated the CVSS scores for each of the vulnerabilities and classified three of them as “medium” and one as “low” severity.
The CPU maker says its newer products, including some 8th and 9th generation Core processors and 2nd generation Xeon Scalable processors, address these vulnerabilities at hardware level. Some of the other impacted products have already received or will receive microcode updates that should mitigate the flaws. Intel has published a list of the processors for which it will release microcode updates and for which it will not release any updates.
Intel says the mitigations should have minimal performance impact for a majority of PCs, but performance may be impacted in the case of data center workloads.
According to some of the researchers who discovered the ZombieLoad, RIDL and Fallout vulnerabilities, defenses for previously disclosed speculative execution attacks are inefficient against the new threats and in some cases they even “make things worse.”
Research papers have been published and dedicated websites have been set up for each of the attack methods. Proof-of-concept (PoC) exploits, videos showing the exploits in action, and tools that allow users to check whether their system is vulnerable have also been made available. A separate paper also describes a method called Store-to-Leak Forwarding, which shows that Meltdown-like attacks are still possible.
ARM and AMD processors do not appear to be affected. Microsoft, Google, Apple, the Xen Project and Linux distributions have published blog posts and advisories for these flaws. Microsoft, Google, Apple and HP have taken steps to protect customers against potential attacks.