Security researchers have discovered a flaw in Intel’s new Xeon Cascade Lake family of chips that could be used to steal sensitive data directly from the processor.
To combat the attack, Intel released microcode updates on 12 November to address the issue, which stems from a new variant of Zombieload. The new Zombieload flaw, which Intel calls Transactional Asynchronous Abort (TAA), can enable hackers with physical access to a device the ability to read sensitive data stored in the processor.
Intel has confirmed that its new chips are vulnerable to the newest Zombieload flaw.
“The TAA mitigation provides the ability to clear stale data from microarchitectural structures through use of a VERW instruction on processors that already have hardware-based mitigations for MDS [microarchitectural data sampling],” said Jerry Bryant, director of security communication for Intel’s Platform Assurance and Security Group, in a security update blog post Tuesday.
“It also provides system software the means to disable [TAA] for customers who do not use this functionality. We believe that the mitigations for TAA and MDS substantively reduce the potential attack surface,” said Bryant. “Shortly before this disclosure, however, we confirmed the possibility that some amount of data could still be inferred through a side-channel using these techniques [for TAA, only if TSX is enabled] and will be addressed in future microcode updates.”
The new variant of Zombieload is closely related to an MDS attack, which targets components used for fast reads/writes of information processed inside the CPU like the load, store and line fill buffers. It can be triggered in PCs, laptops and virtual machines, meaning that the cloud is vulnerable as well.
Nearly every computer dating back to 2011 with an Intel chip is affected by Zombieload, according to Intel. Researchers said other vulnerabilities in the same family of Zombieload, such as Fallout, do not work on Intel’s Cascade Lake.
In addition, researchers said flaws like Zombieload could be exploited to see which websites a person is visiting in real time. The vulnerability could also be repurposed to obtain passwords or access tokens for a victim's online accounts.