Intel's Cascade Lake CPUs impacted by new Zombieload v2 attack

[steven36]

Zombieload v2 impacts Intel CPUs released since 2013, if they support the Intel TSX instruction set.

 

 

The Zombieload vulnerability disclosed earlier this year in May has a second variant that also works against more recent Intel processors, not just older ones, including Cascade Lake, Intel's latest line of high-end CPUs -- initially thought to have been unaffected.

 

Intel is releasing microcode (CPU firmware) updates today to address this new Zombieload attack variant, as part of its monthly Patch Tuesday -- known as the Intel Platform Update (IPU) process.

What is Zombieload

Back in May, two teams of academics disclosed a new batch of vulnerabilities that impacted Intel CPUs. Collectively known as MDS attacks, these are security flaws in the same class as Meltdown, Spectre, and Foreshadow.

 

The attacks rely on taking advantage of the speculative execution process, which is an optimization technique that Intel added to its CPUs to improve data processing speeds and performance.

 

Vulnerabilities like Meltdown, Spectre, and Foreshadow, showed that the speculative execution process was riddled with security holes.

 

Disclosed in May, MDS attacks were just the latest line of vulnerabilities impacting speculative execution.

 

They were different from the original Meltdown, Spectre, and Foreshadow bugs disclosed in 2018 because they attacked different areas of a CPU's speculative execution process.

 

 

While Meltdown, Spectre, and Foreshadow attacked data stored inside the L1 cache, MDS attacks went after a CPU's microarchitectural data structures -- hence, the name of Microarchitectural Data Sampling (MDS) attacks. These microarchitectural data structures included the load, store, and line fill buffers, which the CPU uses for fast reads/writes of data being processed inside the CPU.

 

The original MDS attacks disclosed in May targeted store buffers (CVE-2018-12126 aka Fallout), load buffers (CVE-2018-12127), line fill buffers (CVE-2018-12130, aka the Zombieload attack, or RIDL), and uncacheable memory (CVE-2019-11091). At the time, Zombieload was deemed the most dangerous of all four MDS attacks because it could retrieve more information than the others.

Meet Zombieload v2

But unbeknownst to the world, there was a fifth MDS attack at the time, which researchers kept secret because Intel had yet to release a patch.

 

Nicknamed Zombiload v2 (CVE-2019-11135), this is a variation of the Zombieload v1 vulnerability, but one that worked on Intel's newer line of CPUs, those which the company claimed had protections against speculative execution attacks baked in at the hardware level.

 

According to an updated version of the Zombieload academic paper that ZDNet received this week, the Zombieload v2 attack exploits the Intel Transactional Synchronization Extensions (TSX) Asynchronous Abort operation that occurs when an attacker uses malicious code to create a conflict between read operations inside a CPU.

 

This read conflict for TSX Asynchronous Abort (TAA) operations leaks data about what's being processed inside an Intel CPU.

 

"The main advantage of this approach is that it also works on machines with hardware fixes for Meltdown, which we verified on an i9-9900K and Xeon Gold 5218," the research team explained in the revised version of their whitepaper.

 

The only condition for a Zombieload v2 attack is that the targeted CPU supports the Intel TSX instruction-set extension, which the research team said is available by default in all Intel CPUs sold since 2013.

 

The first Intel CPU series to have featured TSX support was the Haswell platform. Everything that came after is affected. Intel's Cascade Lake, which the company released in April this year, was supposed to be the company's first product that featured protections against side-channel and speculative execution attacks at the hardware level.

Intel's response

In an email to ZDNet, an Intel spokesperson wanted customers to know that microcode updates will be made available for Zombieload v2 on the company's website.

 

Furthermore, the company added that the Zombieload v2 vulnerability (which Intel tracks as the "TAA attack" in its own documentation) is not as dangerous as it sounds.

 

While all the MDS attacks can allow attackers to run malicious code against an Intel CPU, attackers can't control what data they can target and extract.

 

MDS attacks, while very much possible, are inefficient when compared to other means of stealing data from a target, an opinion that other security experts have also expressed in the past.

 

However, the fact that day-to-day malware gangs won't bother exploiting something as complex as an MDS attack, or Zombieload v2, that doesn't mean the vulnerabilities should be ignored.

 

Applying these microcode updates should be a priority for everyone who manages critical infrastructure or cloud data centers.

 

If users don't want to update and deal with a potential performance dip due to yet another patch for speculative execution attacks, Intel also recommending disabling the CPU's TSX support, if not used.

More bad news

But bad news never comes alone. The same research team who found Zombieload v1 and v2, also found an issue with Intel's original patches for the four MDS attacks disclosed in May.

 

The VERW instruction set, which Intel claimed could be used to protect apps against MDS attacks that may attempt to extract data while being processed in the CPU, was incomplete and could be circumvented, the research team said.

 

When we asked Intel about this issue, the CPU chipmaker acknowledged the problem and claimed that the VERW instruction set, along with the other MDS attack protections were meant to reduce the attack surface and make exploitation harder for attackers, and not as a complete patch for MDS attacks.

 

A version of the revised Zombieload whitepaper will be made available on the Zombieload website later today. The research team will be presenting their revised findings tomorrow at the ACM CCS conference in London.

 

Source

[steven36]

Ubuntu updates to mitigate latest Intel hardware vulnerabilities

 

 

Today, Intel announced a group of new vulnerabilities affecting various Intel CPUs and associated GPUs, known as TSX Asynchronous Abort (CVE-2019-11135), Intel® Processor Machine Check Error (CVE-2018-12207), and two Intel i915 graphics hardware  vulnerabilities (CVE-2019-0155, CVE-2019-0154).

 

TSX Asynchronous Abort (TAA) is related to the previously announced MDS vulnerabilities but only affects Intel processors that support Intel® Transactional Synchronization Extensions (TSX). Due to the similarity between this issue and MDS, the mitigations for MDS are sufficient to also mitigate TAA. As such, processors which were previously affected by MDS and which have the MDS microarchitectural buffer clearing mitigations employed are not affected by TAA. For newer processors which were not affected by MDS, but which support Intel® TSX, TAA is mitigated in Ubuntu by a combination of an updated Linux kernel and Intel microcode packages which disable Intel® TSX. Where TSX is required, this can be re-enabled via a kernel command-line option (tsx=on) and in this case, the kernel will automatically employ microarchitectural buffer clearing mechanisms as used for MDS to mitigate TAA.

 

Intel® Processor Machine Check Error (MCEPSC, also called iTLB multihit) is a vulnerability specific to virtualisation, where a virtual machine can cause a denial of service (system hang) to the host processor when hugepages are employed. This is mitigated in Ubuntu with an updated Linux kernel.

 

The first of the two Intel i915 graphics processor vulnerabilities (CVE-2019-0155) allow an unprivileged user to elevate their privileges on the system and expose sensitive information from the kernel. The second vulnerability (CVE-2019-0154) allows an unprivileged user to cause a denial of service (system hang) by reading from particular memory regions when in certain low power states.  Mitigations for these two issues in Ubuntu are provided through a combination of firmware and kernel driver updates for these GPUs.

 

For further details, including the specific package versions which mitigate these vulnerabilities for each Ubuntu release, please consult this article within the Ubuntu Security Knowledge Base.

 

Source

[funkyy]

I read all that first post above, then clicked  the "INTEL platform update (IPU) process" link which took me to a page basically with an INTEL security guy crowing that they found 67 of the 77 vulnerabilities themselves...Whoopee doo!!

Then he tells you to go over to https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu/ for further information...but clicking on that link takes you back to the same page with the video of this nervous guy!!

And then the killer Pontius Pilate line:- " We recommend you check with your system manufacturers and operating system vendors to determine how to obtain these updates."

This is like bad deja vu...back in May when the previous vulnerabilities were acknowledged I had to go through pages of Microsoft and INTEL bumf trying to get a straight answer to when and where were the INTEL microcode updates? They don't make it easy for you after you spend your money on their product.

 

"In an email to ZDNet, an Intel spokesperson wanted customers to know that microcode updates will be made available for Zombieload v2 on the company's website" I tried www.INTEL...it only contains propaganda "Buy our wonderful product...but don't come back looking for microcode updates" . As soon as I read the main post above I knew it was gonna be the same old story.."we're going to blah blah blah....."

Can you tell I'm rather annoyed?

12th November:- visited the site of MSI (the manufacturer of my motherboard etc)..total waste of time, Searched for ages, going round in circles to the same pages and all they have is Aug microcode updates.

Tried INTEL again..you just go back to their salesman pitch and why they are so wonderful. (see 3rd screenshot).🥵🥵🥵

It says "Currently there are no downloads available for microcode updates November 2019".🥵🥵🥵

[steven36]

14 hours ago, funkyy said:

This is like bad deja vu...back in May when the previous vulnerabilities were acknowledged I had to go through pages of Microsoft and INTEL bumf trying to get a straight answer to when and where were the INTEL microcode updates? They don't make it easy for you after you spend your money on their product.

Meanwhile  on Ubuntu Linux   i done got both updates already the microcode updates yesterday and  Linux Kernel updates today .

[kantry123]

2 hours ago, steven36 said:

Meanwhile  on Ubuntu Linux   i done got both updates already the microcode updates yesterday and  Linux Kernel updates today .

ubuntu and other debian based distros are often very fast in patching vulnerabilities in system.

 

[funkyy]

20th Nov 2019:- and after all that gnashing of teeth and wasted time...my INTEL CPU is not on the list of affected

products on INTEL's official site list!!