Security Microarchitectural Data Sampling (MDS) Speculative Execution Side Channel Vulnerability (Zombieload)

eva2000 · Jun 8, 2019

Redhat Enterprise Linux 7.7 beta comes with MDS/Zombieload mitigations - so will CentOS 7.7 eventually https://www.phoronix.com/scan.php?page=news_item&px=RHEL-7.7-Beta-Released

Arriving yesterday coincidentally on the Phoronix 15th birthday was the beta release of Red Hat Enterprise Linux 7.7

While Red Hat Enterprise Linux 8.0 has been under GA since early May, RHEL 7.7 is the latest continuation of RHEL7 as part of their ten-year lifecycle. The Red Hat Enterprise Linux 7.7 release will also mark the end of the "full support phase" for the RHEL7 lifecycle.

With the Red Hat Enterprise Linux 7.7 Beta there are mitigations in place for the Microarchitectural Data Sampling (MDS) / Zombieload vulnerabilities affecting Intel CPUs. Also on the CPU vulnerability front, Retpolines are now in place rather than IBRS as the default Spectre Variant Two mitigation to lower the performance overhead and also matches the behavior of RHEL 8.0.

The RHEL 7.7 Beta also includes updates to their network stack, access to Red Hat Insights as part of the RHEL subscription, and other changes. RHEL 7.7 also adds new Python 3 packages that were previously part of the Red Hat Software Collections.

More details on the Red Hat Enterprise Linux 7.7 Beta via the Red Hat Blog.
Click to expand...

eva2000 · Nov 15, 2019

Keep an eye out for more Linux Kernel updates to address a 2nd Zombieload MDS security variant Intel's Cascade Lake CPUs impacted by new Zombieload v2 attack | ZDNet

Zombieload V2

The Zombieload vulnerability disclosed earlier this year in May has a second variant that also works against more recent Intel processors, not just older ones, including Cascade Lake, Intel's latest line of high-end CPUs -- initially thought to have been unaffected.

Intel is releasing microcode (CPU firmware) updates today to address this new Zombieload attack variant, as part of its monthly Patch Tuesday -- known as the Intel Platform Update (IPU) process.

WHAT IS ZOMBIELOAD
Back in May, two teams of academics disclosed a new batch of vulnerabilities that impacted Intel CPUs. Collectively known as MDS attacks, these are security flaws in the same class as Meltdown, Spectre, and Foreshadow.

The attacks rely on taking advantage of the speculative execution process, which is an optimization technique that Intel added to its CPUs to improve data processing speeds and performance.

Vulnerabilities like Meltdown, Spectre, and Foreshadow, showed that the speculative execution process was riddled with security holes.

Disclosed in May, MDS attacks were just the latest line of vulnerabilities impacting speculative execution.

They were different from the original Meltdown, Spectre, and Foreshadow bugs disclosed in 2018 because they attacked different areas of a CPU's speculative execution process.

While Meltdown, Spectre, and Foreshadow attacked data stored inside the L1 cache, MDS attacks went after a CPU's microarchitectural data structures -- hence, the name of Microarchitectural Data Sampling (MDS) attacks. These microarchitectural data structures included the load, store, and line fill buffers, which the CPU uses for fast reads/writes of data being processed inside the CPU.

The original MDS attacks disclosed in May targeted store buffers (CVE-2018-12126 aka Fallout), load buffers (CVE-2018-12127), line fill buffers (CVE-2018-12130, aka the Zombieload attack, or RIDL), and uncacheable memory (CVE-2019-11091). At the time, Zombieload was deemed the most dangerous of all four MDS attacks because it could retrieve more information than the others.

MEET ZOMBIELOAD V2
But unbeknownst to the world, there was a fifth MDS attack at the time, which researchers kept secret because Intel had yet to release a patch.

Nicknamed Zombiload v2 (CVE-2019-11135), this is a variation of the Zombieload v1 vulnerability, but one that worked on Intel's newer line of CPUs, those which the company claimed had protections against speculative execution attacks baked in at the hardware level.

According to an updated version of the Zombieload academic paper that ZDNet received this week, the Zombieload v2 attack exploits the Intel Transactional Synchronization Extensions (TSX) Asynchronous Abort operation that occurs when an attacker uses malicious code to create a conflict between read operations inside a CPU.

This read conflict for TSX Asynchronous Abort (TAA) operations leaks data about what's being processed inside an Intel CPU.

"The main advantage of this approach is that it also works on machines with hardware fixes for Meltdown, which we verified on an i9-9900K and Xeon Gold 5218," the research team explained in the revised version of their whitepaper.

The only condition for a Zombieload v2 attack is that the targeted CPU supports the Intel TSX instruction-set extension, which the research team said is available by default in all Intel CPUs sold since 2013.

The first Intel CPU series to have featured TSX support was the Haswell platform. Everything that came after is affected. Intel's Cascade Lake, which the company released in April this year, was supposed to be the company's first product that featured protections against side-channel and speculative execution attacks at the hardware level.
Click to expand...

Log in / Register

Forums

Join the community today

Security Microarchitectural Data Sampling (MDS) Speculative Execution Side Channel Vulnerability (Zombieload)

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Join the community today

Security Microarchitectural Data Sampling (MDS) Speculative Execution Side Channel Vulnerability (Zombieload)

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.