MICROARCHITECTURE DATA SAMPLING

Priority: High

Executive Summary: Intel have publicly disclosed a set of vulnerabilities involving side-channel attacks which allow microarchitecture data sampling (MDS), affecting Intel microprocessors. The four vulnerabilities are similar to Spectre/Meltdown in nature. The issue exists in Intel’s implementation of simultaneous multithreading, named Hyper-Threading. Microprocessor performance is improved by splitting a single physical processor core into two virtual cores called threads, allowing them to share available resources. Researchers discovered that they could break the isolation between the threads in order to read sensitive data, such as passwords and private keys accessed by the other thread.

The four CVEs have been assigned the following names:

  • ZombieLoad (CVE-2018-12130)
  • RIDL (Rogue In-Flight Data Load) (CVE-2018-12127, CVE-2019-11091)
  • Fallout (CVE-2018-12126)

Proof-of-concept code has also been released for ZombieLoad on GitHub [5], meaning the vulnerability is likely to be exploited in the wild soon. Intel have released microcode updates for affected microprocessors to help protect systems from these attacks. However, many vendors have gone a step further by disabling Hyper-Threading by default altogether, as this is necessary in combination with updates to guarantee preventing against exploitation. Disabling Hyper-Threading will lead to reduced performance, which has made other vendors hesitant to make this change. IT departments will need to investigate whether Hyper-Threading is disabled on specific devices and for specific software, and whether it should be manually enabled.

Detect: Whilst it is not possible to determine whether the vulnerabilities have been exploited on a device, various security solutions may be able to detect malware utilising the vulnerabilities during other stages of the activity.

Affected Products: A list of affected products can be found published by Intel [6].

Prevent: Intel’s disclosure does not recommend the disabling of Hyper-Threading, instead recommending to apply available updates which mitigate against the vulnerabilities. However, the only guaranteed way of preventing against any of the vulnerabilities is to both disable Hyper-Threading on devices and apply updates from Intel and other vendors. Disabling Hyper-Threading will cause reduced performance, so a decision will need to be made over the trade-off between security and performance.

React: Due to the trade-off between security and performance, Security and IT departments will need to assess the situation and determine whether disabling Hyper-Threading is appropriate for them. If Hyper-Threading is not going to be disabled, IT departments should ensure that all updates addressing these vulnerabilities are applied immediately. The status of published microcode can be found alongside the affected products published by Intel [6].

Sources:
[1] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html
[2] https://zombieloadattack.com/
[3] https://mdsattacks.com/
[4] https://www.theregister.co.uk/2019/05/14/intel_hyper_threading_mitigations/
[5] https://github.com/IAIK/ZombieLoad
[6] https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf