Intel has revealed new flaws pervading many of its Xeon products.
The new problem is called Microarchitectural Data Sampling (MDS) and, as Intel describes on its advisory page, it “may allow information disclosure.”
Intel’s rated this a medium threat and a “potential vulnerability”, but nonetheless plans to issue fixes for many of its Xeon CPUs. The company’s listed [PDF] those products and released code to GitHub for some OS updates.
The attack is scary.
Microsoft’s guidance has the most graphic description of the potential effects, as follows.
In environments in which resources are shared, such as virtualization hosts, an attacker who can run arbitrary code on one virtual machine may be able to access information from another virtual machine or from the virtualization host itself.
Server workloads such as Windows Server Remote Desktop Services (RDS) and more dedicated roles such as Active Directory domain controllers are also at risk. Attackers who can run arbitrary code (regardless of its level of privilege) may be able to access operating system or workload secrets such as encryption keys, passwords, and other sensitive data.
Windows client operating systems are also at risk, especially if they run untrusted code, leverage Virtualization Based Security features like Windows Defender Credential Guard, or use Hyper-V to run virtual machines.
VMware’s advisory, which explains its impact on virtualised machines, says MDS “may allow a malicious user who can locally execute code on a system to infer data otherwise protected by architectural mechanisms.”
Researchers who discovered the flaws independently of Intel's efforts have labelled the attack "Zombieload" and posted a demo in which "an attacker can monitor the websites the victim is visiting despite using the privacy-protecting Tor browser in a virtual machine."
That data can be inferred, rather than read outright, is the reason the flaws scored a 6.5 rating on the ten-point CVSS bug-rating scale, rather than a higher score indicating greater risk.
But the relatively mild nature of the bug, and the fact that it was found by Intel staff, doesn’t make this good news for the silicon titan. That’s because memories of 2018’s Meltdown and Spectre bugs remain fresh in many users’ memories. Those flaws created greater risk and lots of unwelcome work.
A similar round of patching and testing is now required.
Four flaws and what to do
MDS is actually four flaws in one. If you want to read more, here are their CVV numbers and titles:
- CVE-2018-11091 – “Microarchitectural Data Sampling Uncacheable Memory (MDSUM)”
- CVE-2018-12126 – “Microarchitectural Store Buffer Data Sampling (MSBDS)” - known as "Fallout"
- CVE-2018-12127 – “Microarchitectural Fill Buffer Data Sampling (MFBDS)”
- CVE-2018-12130 – “Microarchitectural Load Port Data Sampling (MLPDS)” - known as RIDL
RIDL and Fallout are explained by researchers who discovered them here.
As for what to do, the answer is simple: search the PDF above for affected CPUs and if you are one it prepare to do two things:
- Patch your operating systems
- Apply a microcode patch from Intel
If there's any upside to this one, it's that news of this flaw didn't leak as happened with Spectre and Meltdown. That the flaws were found by Intel staff, with help from Microsoft,also suggests the company's efforts to improve security assessments are working.
Which is welcome news even if the need for a new round of patching is decidedly not!