MDS: new class of vulnerabilities impacting all modern Intel CPUs

[JeGX]

A new class of side channel vulnerabilities impacting all modern Intel chips have been disclosed, which can use speculative execution to potentially leak sensitive data from a system's CPU.

Intel said that the newest class of vulnerabilities, dubbed Microarchitectural Data Sampling (MDS), consist of four different attacks, which all ultimately depend on different ways of executing side channel attacks to siphon data from impacted systems.

...

The  four different attack vectors are dubbed ZombieLoad, Fallout, RIDL (Rogue In-Flight Data Load) and Store-to-Leak Forwarding.

...

Intel said that the new MDS class of flaws is addressed in hardware starting with select 8th and 9th Generation Intel Core processors, as well as the 2nd Generation Intel Xeon Scalable processor family. Future chips will also have integrated fixes.

Source: Intel CPUs Impacted By New Class of Spectre-Like Attacks


CVEs assigned for MSD vulnerabilities

- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS) - CVSS score 6.5: Medium, exploited by Fallout attack
- CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS) - CVSS score 6.5: Medium, exploited by RIDL attack
- CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVSS score 6.5: Medium, exploited by RIDL attack
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM) - CVSS score 3.8: Low, exploited by RIDL attack

Source: New RIDL and Fallout Attacks Impact All Modern Intel CPUs

[JeGX]

Like Meltdown and Spectre, the new MDS attack takes advantage of security flaws in how Intel's chips perform speculative execution, a feature in which a processor guesses at what operations and data it will be asked to execute or access ahead of time to speed up the chip's performance.

In these new cases, researchers found that they could use speculative execution to trick Intel's processors into grabbing sensitive data that's moving from one component of a chip to another. Unlike Meltdown, which used speculative execution to grab sensitive data sitting in memory, MDS attacks focus on the buffers that sit between a chip's components, such as between a processor and its cache, the small portion of memory allotted to the processor to keep frequently accessed data close at hand.

Source: https://www.wired.com/story/intel-mds-attack-speculative-execution-buffer/



RIDL and Fallout: MDS attacks

The RIDL and Fallout speculative execution attacks allow attackers to leak confidential data across arbitrary security boundaries on a victim system, for instance compromising data held in the cloud or leaking your information to malicious websites. Our attacks leak data by exploiting the newly disclosed Microarchitectural Data Sampling (or MDS) side-channel vulnerabilities in Intel CPUs. Unlike existing attacks, our attacks can leak arbitrary in-flight data from CPU-internal buffers (Line Fill Buffers, Load Ports, Store Buffers), including data never stored in CPU caches. We show that existing defenses against speculative execution attacks are inadequate, and in some cases actually make things worse. Attackers can use our attacks to obtain sensitive data despite mitigations, due to vulnerabilities deep inside Intel CPUs.

Link: https://mdsattacks.com

RIDL whitepaper: https://mdsattacks.com/files/ridl.pdf

Fallout whitepaper: https://mdsattacks.com/files/fallout.pdf


Disabling Hyper-Threading below 8th, 9th Gen CPUs can protect:

Intel in its white paper detailing the vulnerability admitted that disbaling HT might be warranted as a protection against MDS attacks - and you can imagine how much the company must have loathed to publish such a thing.

source: https://www.techpowerup.com/255508/yet-another-speculative-malfunction-intel-reveals-new-side-channel-attack-advises-disabling-hyper-threading-below-8th-9th-gen-cpus