Zombieload Saga - New Intel Architecture security flaws, worse than Spectre/Meltdown

[rcmaehl]

Source:
Wired
MDS Attacks
Bleeping Computer

 

Summary:

Intel and a coordinated supergroup of microarchitecture security researchers announced a new, serious form of hackable vulnerability in Intel's chips. All are capable of siphoning a stream of potentially sensitive data from a computer's CPU to an attacker.

Quotes/Excerpts:

Quote

More year has passed since security researchers revealed Meltdown and Spectre, a pair of flaws in the deep-seated, arcane features of millions of chip sold by Intel and AMD, putting practically every computer in the world at risk. Researchers warned that they weren't the end of the story, but the beginning...a new class of security vulnerability that would no doubt surface again and again. Some of those same researchers have uncovered yet another flaw in the deepest guts of Intel's...hardware. It can allow attackers to eavesdrop on virtually every bit of raw data that a victim's processor touches. Intel and a coordinated supergroup of microarchitecture security researchers are together announcing a new, serious form of hackable vulnerability in Intel's chips. It's four distinct attacks, in fact, though all of them use a similar technique, and all are capable of siphoning a stream of potentially sensitive data. The groups have named variants of the exploit techniques ZombieLoad, Fallout, and RIDL, or "Rogue In-Flight Data Load." Intel itself has more tamely labelled the new set of attacks "Microarchitectural Data Sampling," or MDS. Intel...asked all the researchers to keep their findings secret, until it could release fixes for the vulnerabilities. At the same time, the company has sought to downplay the severity of the bugs, according to the researchers...split into two groups working independently...each warn that the attacks represent a serious flaw in Intel's hardware that may require disabling some of its features, even beyond the company's patch. AMD and ARM chips don't appear to be vulnerable. Intel says that some models of chip it's released in the last month include a fix for the problem. Otherwise, all of Intel's chips that the researchers tested, going back as early as 2008, were affected. You can test if your system is affected with a tool the researchers published here.

My Thoughts:
It's that time again all, Architecture vulnerabilities! Batten down the hatches and apply your patches. While I haven't had time to read all of this, the fact it's an architecture flaw means that only workarounds can be applied since you can't change the silicon.

[Taf the Ghost]

New month, new serious hardware-level security issue for Intel!

 

Good title. 

[minibois]

Oh no, this has been predicted!

/s

Source: https://linustechtips.com/main/profile/554361-lukesavenije/?status=230824&type=status Thanks @LukeSavenije

 

I hope these issues aren't going to turn out too big, or at least be able to be fixed with software (that doesn't lower the performance much), otherwise Intel will be somewhat screwed..

Or it turns out AMD also has these issues and it's evenly bad for both parties.

[LukeSavenije]

2 minutes ago, Minibois said:

Thanks @LukeSavenije

 

you're welcome

[GoldenLag]

is it just me or are all of these security vulnerabilities just really good band names. 

 

https://myanimelist.net/anime/37976/Zombieland_Saga

 

i can allready feel the fanart comming. 

[maartendc]

This is more disconcerting:

 

https://support.apple.com/en-us/HT210107

 

Apparently this has already been patched in Mac OS 10.14.5 for Safari to prevent exploitation via Javascript through a malicious website.. The security flaw was already disclosed to Intel in September of 2018, which is why there already are fixes available.

 

You could still be vulnerable if you use unsigned software / harmful apps, this is what Apple has to say about this:

 

Quote

macOS Mojave 10.14.5 fixes this issue for Safari with no measurable performance impact.¹ This update prevents exploitation of these vulnerabilities via JavaScript or as a result of navigating to a malicious website in Safari.

.......
 

Full mitigation requires using the Terminal app to enable an additional CPU instruction and disable hyper-threading processing technology. This capability is available for macOS Mojave, High Sierra, and Sierra in the latest security updates and may reduce performance by up to 40 percent², with the most impact on intensive computing tasks that are highly multithreaded. Learn how to enable full mitigation. 

YIKES. I don't know if I WANT to "mitigate" this vulnerability now. Way to go Intel. Apparently Hyperthreading is completely UNSAFE now.

 

I am sure the repercussions are the same for Intel based Windows machines, since the CPU and Hyperthreading seem to be at the core of this vulnerability. Would apply for all OS.

 

Glad I got a Ryzen CPU for my Desktop now!

[The Benjamins]

1 hour ago, GoldenLag said:

is it just me or are all of these security vulnerabilities just really good band names. 

 

https://myanimelist.net/anime/37976/Zombieland_Saga

 

i can allready feel the fanart comming. 

Thought I heard of that name before.

[TheDankKoosh]

Eh, I just tend to ignore these since I never put my computer into situations where these vulnerabilities could be exploited in the first place. I've already disabled the spectre and meltdown patches cause I don't want gimped performance.

[bcredeur97]

25 minutes ago, maartendc said:

This is more disconcerting:

 

https://support.apple.com/en-us/HT210107

 

Apparently this has already been patched in Mac OS 10.14.5 for Safari to prevent exploitation via Javascript through a malicious website.. The security flaw was already disclosed to Intel in September of 2018, which is why there already are fixes available.

 

You could still be vulnerable if you use unsigned software / harmful apps, this is what Apple has to say about this:

 

YIKES. I don't know if I WANT to "mitigate" this vulnerability now. Way to go Intel. Apparently Hyperthreading is completely UNSAFE now.

 

I am sure the repercussions are the same for Intel based Windows machines, since the CPU and Hyperthreading seem to be at the core of this vulnerability. Would apply for all OS.

 

Glad I got a Ryzen CPU for my Desktop now!

we had to disable hyper threading at work on our VM hosts to mitigate all the issues.

Sad because hyper threading has A LOT of benefit there...

[melete]

Intel: Don't need to disable Hyperthreading if you don't even have it on most of your CPUs.

 

[Guest]

My Mac doesn’t get viruses, so I’m fine.

[Unixsystem]

A few more security patches and i5s are going to come back into style, not as a price/performance option, but just as the straight up top performers. 

[Tristerin]

A few more security patches and Intels latest lineup looks like the old AMD FX lineup.

 

Well it HAS 8 cores and 16 threads...but since it has severe vulnerabilities it really just shares those resources so its 8 c / 8 t

 

 

[rcmaehl]

1 hour ago, floofer said:

My Mac doesn’t get viruses, so I’m fine.

I understood that reference

[yian88]

There are no vulnerabilities and patches are dumb performance killers, this is valid only for the most sensitive of data in servers and whatnot.

It has no effect in userland.

In order for anyone to get your raw data from the CPU, they have to execute programs on your machine.... if anyone gets the rights to execute code on a machine they no longer need the vulnerability in the CPU to get your data, hence making all the patches so far pointless and performance destruction for no good reason.

[Silverfields]

9 minutes ago, yian88 said:

It has no effect in userland.

It does if malicious software is created to utilize these exploits. Even if it takes several years for these exploits to be utilized in an attack, if people don't install these patches, they're vulnerable. I always keep my software and drivers up to date for exactly this reason. Who knows what exploits have been discovered but remain unreported.

[Misanthrope]

You know, Raja was recently talking shit expressing his concerns about his former employer and while I am nowhere near knowledgeable enough to emit any kind of value judgement on his concerns, as long as this shit keeps making the headlines AMD could really glue together chip dies crudely and it would still look better than this many critical vulnerabilities with seemingly no end in sight.

[justpoet]

3 minutes ago, yian88 said:

There are no vulnerabilities and patches are dumb performance killers, this is valid only for the most sensitive of data in servers and whatnot.

It has no effect in userland.

In order for anyone to get your raw data from the CPU, they have to execute programs on your machine.... if anyone gets the rights to execute code on a machine they no longer need the vulnerability in the CPU to get your data, hence making all the patches so far pointless and performance destruction for no good reason.

Not quite true.  This exploit works from completely unprivileged processes, including Javascript in websites in certain situations, and can pull data from more sensitive places than the other attacks, including buffer information and info from various secure enclave type areas (based in the intel CPU, unlike Apple's T2 chips).

Quote

pointing the victim to a webpage with malicious JavaScript can steal sensitive information on the system, like passwords and cryptographic keys.

 

It is true though, that the general user will get patched web browsers now (Safari) or soon (others) to mostly mitigate that attack vector as is currently understood.  However, it is an arms race of exploitation vs patching, and even "known safe" doesn't always stay that way.  A recent example of that is here:

https://www.bleepingcomputer.com/news/security/keyloggers-injected-in-web-trust-seal-supply-chain-attack/

 

One of the other interesting bits from the BC coverage of these exploits is that it

Quote

also impacts modern Intel processors, including those of the 9th generation, which include in-silicon mitigations for Meltdown.  This protection, however, "makes them more vulnerable to Fallout, compared to older generation hardware," say the developers of the attack.

This is the bleeping computer article I've quoted a couple times above.

https://www.bleepingcomputer.com/news/security/new-ridl-and-fallout-attacks-impact-all-modern-intel-cpus/

 

Lastly, it is also important to note that there is a LARGE underground set of malicious actors that always reverse engineer security fixes and turn them into working exploits for sale.  The usual turn around time period of this is a day for more simple stuff, such as open source media platforms (Drupal, WordPress, etc), and at most about a week for super complex issues (similar to this).  So, you should definitely be patched and aware, even if you choose to not care about using the hyperthread disabling "full fix".

[jake9000]

Pretty firm stance on this coming from Google today: 

 

https://support.google.com/faqs/answer/9330250 

Quote

Google has disabled Hyper-Threading by default on Chrome OS 74 and later. Chrome OS 75 will include additional mitigations.

 

[Techstorm970]

What are the chances of this actually getting exploited on an everyday consumer machine???

 

I'm tired of hearing that my i7-8750H is a block of swiss cheese.

[jake9000]

For now, the biggest threat is to server farms. You really do not want your VMs being able to talk to each other or to the hypervisor!! 

The browser-borne exploits would be pretty scary if there was a working example out in the wild. I'm hoping that we will see some client side detection and mitigation of code trying to use that hole even on clients that choose to leave it open. 

[justpoet]

7 minutes ago, jake9000 said:

The browser-borne exploits would be pretty scary if there was a working example out in the wild. I'm hoping that we will see some client side detection and mitigation of code trying to use that hole even on clients that choose to leave it open. 

The exploit proofs of concept to do this are on github, so I'm sure it has already been weaponized and available for purchase on the dark web.

[justpoet]

20 minutes ago, Techstorm970 said:

What are the chances of this actually getting exploited on an everyday consumer machine???

 

I'm tired of hearing that my i7-8750H is a block of swiss cheese.

Fairly high until all the browsers put in mitigations and you get the microcode updates.  Once those both happen, reasonably low.

[melete]

Edit: I've done some more reading on MDS since yesterday, and it now appears to me that all Intel CPUs are possibly affected. Intel says they are not, but researchers insist that they are. Out of an abundance of caution, I'm removing my earlier post.
 

Edited May 15, 2019 by melete

[ARikozuM]

WOOO!!!

 

 

BRING ON THE WAIFUS!!!