Intel has released information about a new class of vulnerabilities in its processors: MDS (Microarchitecture Data Sampling), ZombieLoad among others.
Like the Specter class attacks above, new issues can lead to leaking closed operating system data, virtual machines and external processes. It is argued that the problems were first identified by Intel employees and partners during an internal audit.
Based on the identified problems, researchers at the Technical University of Graz (Austria) developed several practical attacks through third-party channels.
Identified vulnerabilities
ZombieLoad (PDF, exploit prototype for Linux and Windows): le allows the extraction of confidential information from other processes, operating systems, virtual machines and protected enclaves (TEE, Trusted Execution Environment).
For example, the ability to determine page opening history in the Tor browser running on another virtual machine, as well as to retrieve access keys and passwords used in applications, has been demonstrated.
RIDL (PDF, code for verification): le Allows you to organize information leakage between different isolated areas on Intel processors, such as fill buffers, storage buffers, and charge ports.
Examples of the attack are shown for the leak organization of other processes, the operating system, virtual machines, and protected enclaves. For example, it shows how to find out the content of the root password hash of / etc / shadow during periodic authentication attempts (the attack took 24 hours).
In addition, opening a malicious page in the SpiderMonkey engine shows an example of how to perform a JavaScript attack (In full modern browsers, such an attack is unlikely to be due to the limited accuracy of the timer and measures to protect against Specter.)
Fallout (PDF): le allows you to read the data recently recorded by the operating system and determine the design of the operating system memory to facilitate other attacks;
Store-to-Leak Forwarding: exploits storage buffer optimization CPUs and can be used to bypass the kernel address space randomization (KASLR) mechanism, to monitor operating system health, or to organize leaks in combination with Specter-based devices.
CVE-2018-12126 - MSBDS (Microarchitecture Buffer Data Sampling), which restores the contents of storage buffers. Used in the Fallout attack. The severity is defined in 6.5 points (CVSS)
CVE-2018-12127 - MLPDS (microarchitectural charging port data sampling), which restores the content of the charging ports. Used in the RIDL attack. CVSS 6.5
CVE-2018-12130 - MFBDS (Microarchitecture Padding Buffer Data Sampling), which restores the contents of padding buffers. Used in the ZombieLoad and RIDL attacks. CVSS 6.5
CVE-2019-11091 - MDSUM (Uncorrectable memory of microarchitecture data sampling), which restores the contents of non-storable memory. Used in the RIDL attack. CVSS 3.8
The essence of the problems identified is the possibility of applying analysis methods through third-party channels to data in micro-architectural structures to which applications do not have direct access.
Solutions have already been made available
En Linux kernel, MDS protection has been added in today's updates 5.1.2, 5.0.16, 4.19.43, 4.14.119 y 4.9.176.
The protection method is based on clearing the contents of the microarchitectural buffers when returning from the kernel to user space or when transferring control to the host system, for which the VERW instruction is used.
Package updates have already been released for RHEL and Ubuntu, but not yet available for Debian, Fedora, and SUSE.
A solution to block virtual machine data leaks has been created for the Xen hypervisor and VMware.
To protect virtualization systems that run the L1D_FLUSH command before transferring control to another virtual machine, and to protect Intel SGX enclaves, simply update the microcode.
Patches are also available for NetBSD, FreeBSD, ChromeOS, Windows, and macOS (no fixes for OpenBSD yet).