Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Microarchitectural Data Sampling: Speculative Execution Side-Channel Vulnerabilities Found in Intel CPUs

Researchers disclose speculative execution side-channel attacks named ZombieLoad, RIDL and Fallout in Intel Central Processing Units (CPUs).

Background

On May 14, public disclosures from multiple research groups regarding a new set of speculative execution side-channel vulnerabilities in Intel CPUs were published, along with software updates from various operating system, virtualization and cloud vendors. The vulnerabilities, independently discovered but collectively referred to as Microarchitectural Data Sampling (or MDS) attacks, are also individually named ZombieLoad, RIDL and Fallout by the researchers who discovered them. They follow in the footsteps of the Spectre and Meltdown vulnerabilities reported in 2018.

Analysis

The following is a table of the four CVEs associated with MDS attacks, which includes acronyms and associated names.

CVE

Name

Acronym

Named Vulnerability

CVE-2018-12126

Microarchitectural Store Buffer Data Sampling

MSBDS

Fallout

CVE-2018-12127

Microarchitectural Load Port Data Sampling

MLPDS

RIDL

CVE-2018-12130

Microarchitectural Fill Buffer Data Sampling

MFBDS

ZombieLoad

CVE-2019-11091

Microarchitectural Data Sampling Uncacheable Memory

MDSUM

RIDL

The MDS vulnerabilities all focus on the “sampling” of data from CPU buffers that reside between the processor and cache. The term “sampling” here can be described as eavesdropping on the buffers and capturing the data frequently.

ZombieLoad


CVE-2018-12130 or the “ZombieLoad” attack, is so named because the CPU “resurrects your private browsing history and other sensitive data,” which can be achieved by targeting the fill buffer (MFBDS) logic of the processor. In a demo video, the researchers behind ZombieLoad show how they are able to retrieve URLs accessed on a machine using the Tor Browser.

RIDL

RIDL is an acronym for “Rogue In-Flight Data Load,” which describes the leaking (or “sampling”) of in-flight data from the Line-Fill Buffers (MFBDS) and Load Ports (MLPDS) used by the CPU to load or store data from memory. The associated CVEs for RIDL are CVE-2018-12127, CVE-2019-11091, as well as overlap with CVE-2018-12130, which was discovered independently.

Researchers from VuSec have uploaded the following exploit demo videos showing successful attacks using RIDL vulnerabilities in three different scenarios:

RIDL leaking root password hash (over a 24-hour period):

RIDL leaking Linux kernel data:

RIDL from JavaScript:

Fallout

CVE-2018-12126, or the “Fallout” attack, was named by the researchers because “Fallouts are typically a direct consequence of Meltdowns,” indicating it is a follow-up to the Meltdown vulnerability. Fallout targets the Store Buffer (MSBDS), which is used by the CPU pipeline whenever it needs to store any data. What is most notable about this attack is that “an unprivileged attacker can then later pick which data they leak” from the Store Buffer. The researchers behind the discovery of Fallout say that despite the hardware countermeasures introduced to address Meltdown, the CPUs are now more vulnerable to attacks like Fallout.

Unlike ZombieLoad or RIDL, there do not appear to be any demo videos for Fallout at the time of publication for this blog.

Proof of concept

Researchers have published proof-of-concept (PoC) code to Github for ZombieLoad, but there do not appear to be any PoCs for RIDL or Fallout at the time this blog was published.

Solution

Intel has published a document with a list of planned or available microcode updates for different Intel CPUs, as well as a list of products where no microcode update will be provided. Intel has also stated that the MDS vulnerabilities are addressed in 8th and 9th Generation Intel Core processors and the 2nd Generation Intel Xeon Scalable processor family.

The following vendors have published advisories, knowledge base, support and FAQ articles detailing their efforts to address MDS for their operating systems, products and cloud-based services, including microcode and software updates:

Other vendors will likely follow up and provide patches in the coming weeks and months.

Identifying affected systems

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.