Four new CVEs that combine to create a vulnerability called ZombieLoad affecting Intel processors were made public today, which if left unpatched could leave a computer open to a side-channel attack allowing someone to bypass protections to read memory.
The flaws, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, impacted a number of companies with Apple, Google, Microsoft and Amazon Web Services issuing updates. ZombieLoad, more formally known as microarchitectural data sampling, can leak a variety of information.
Intel posted today the problems were first identified by the company’s internal researchers, partners and independently reported by external researchers. MDS is a sub-class of previously disclosed speculative execution side channel vulnerabilities and is comprised of four related techniques.”
“Attacks exploiting these vulnerabilities could expose potentially sensitive data, from payment information to customer records, on nearly any computer, mobile device or cloud deployment,” said Denise Dumas, vice president, Operating System Platform at Red Hat.
According to Red Hat:
- CVE-2018-12126 is a flaw that could lead to information disclosure from the processor store buffer.
- CVE-2018-12127 is an exploit of the microprocessor load operations that can provide data to an attacker about CPU registers and operations in the CPU pipeline.
- CVE-2018-12130 is the most serious of the three issues and involved the implementation of the microprocessor fill buffers and can expose data within that buffer.
- CVE-2019-11091 is a flaw in the implementation of the "fill buffer," a mechanism used by modern CPUs when a cache-miss is made on L1 CPU cache.
All the CVEs can be corrected through the application of updated CPU microcode, kernel patches, and disabling Hyper-Threading, although disabling the latter can cause processor performance issues.
Intel said for products where MDS is not addressed in hardware, it is releasing processor microcode updates (MCU) as part of our regular update process with OEMs. These are coupled with corresponding updates to operating system and hypervisor software. When these mitigations are enabled, minimal performance impacts are expected for the majority of PC client application based benchmarks.
Apple support reported it a has released security updates in macOS Mojave 10.14.5 to protect against speculative execution vulnerabilities in Intel CPUs and that the issues addressed by these security updates do not affect Apple iOS devices or Apple Watch.
Google said it has taken steps to mitigate the problem in its product line, including search, YouTube, Google Ads products, Maps, Blogger and Android.
Microsoft rolled out its patches as part of its normal monthly Patch Tuesday offering and added it has no information if the vulnerabilities have been exploited in the wild.
AWS said it has designed and implemented its infrastructure with protections against these types of bugs, and has also deployed additional protections for MDS. All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level.
“This bug is new but it is similar to Spectre and Meltdown because the bug can be used to leak data from one security context to another via the CPU. This means the risk is to systems running code from different users. This is typical in cloud environments where multiple customers share the same CPU but another case is browsers running untrusted JavaScript. A malicious website could compromise private data on a system that renders a page with malicious JavaScript,” Chris Wysopal, Veracode’s CTO.
