Zombieload and company: researcher discovered new class of vulnerabilities in Intel processors

Combined group of scientists and IS-experts discovered new class of vulnerabilities in Intel processors, which, similarly to Meltdown, Spectre and Foreshadow, allow distracting data that is processed inside the chips.

As in previous cases, new attacks are based on Microarchitectural Data Sampling (MDS) and use advantages of speculative execution mechanism that is realized in Intel processors for increasing data processing speed.

All attacks allow different scale of access to data that is stored in different inner buffers of CPU.

Problem was discovered by researchers at Graz University of Technology in Austria, KU Leuven University in Belgium and Dutch Amsterdam Free University.

They said it could allow hackers to steal sensitive data or provide the means to unscramble encrypted files.

“This could affect user-level secrets, such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys,” – researchers explained.

The problem is in application of analysis methods to data in microarchitectural structures by side channels, to which applications have no access. This is about such structures as Line Fill Buffer, Store Buffer and Load Port that CPU uses for quick i/o of processed data.

In total experts described four MDS-attacks that base on discovered vulnerabilities.

1. Zombieload (CVE-2018-12130) – restoration of Store Buffers content. Attack allows restoring browsing history and other data, organize information leakage from other OS’s applications, loud services and trusted execution environment.
2. Fallout (CVE-2018-12126) – restoration of Store Buffers content. Attack gives opportunity of reading data that was recently written by OS and OS’s memory layout for simplification of other attacks.
3. RIDL (CVE-2018-12127, CVE-2018-12130, CVE-2019-11091) – restoration of the contents of the ports of loading, buffers and non-cacheable memory. Attack allows organizing information leakage between isolated regions in Intel processors, as Store Buffer, Load Ports etc;
4. Store-To-Leak Forwarding – exploit optimization for the CPU for working with the storage buffer and can be used to bypass the mechanism of randomization of the kernel address space (KASLR), for state of OS monitoring and organization of leakage in combination with devices on the base of Spectre methods.

As write experts, vulnerable are all Intel processor models, released after 2011, including processors for PCs, laptops and cloud services. As noted, new processor models are not sensitive as are supplied with protection against speculative execution (Meltdown, Spectre etc).

Microsoft, Apple and Google have already released updates that fix problem. In Linux cores protection from MDS is added in updates 5.1.2, 5.0.16. 4.19.43, 4.14.119 and 4.9.170. Also presented correcting updates for RHEL, Ubuntu, NetBSD and FreeBSD.

Source: https://www.bbc.com