WHAT IS ZOMBIELOAD
Back in May, two teams of academics disclosed a new batch of vulnerabilities that impacted Intel CPUs. Collectively known as MDS attacks, these are security flaws in the same class as Meltdown, Spectre, and Foreshadow.
The attacks rely on taking advantage of the speculative execution process, which is an optimization technique that Intel added to its CPUs to improve data processing speeds and performance.
Vulnerabilities like Meltdown, Spectre, and Foreshadow, showed that the speculative execution process was riddled with security holes.
Disclosed in May, MDS attacks were just the latest line of vulnerabilities impacting speculative execution.
They were different from the original Meltdown, Spectre, and Foreshadow bugs disclosed in 2018 because they attacked different areas of a CPU’s speculative execution process.
While Meltdown, Spectre, and Foreshadow attacked data stored inside the L1 cache, MDS attacks went after a CPU’s microarchitectural data structures — hence, the name of Microarchitectural Data Sampling (MDS) attacks.
These microarchitectural data structures included the load, store, and line fill buffers, which the CPU uses for fast reads/writes of data being processed inside the CPU.
The original MDS attacks disclosed in May targeted store buffers (CVE-2018-12126 aka Fallout), load buffers (CVE-2018-12127), line fill buffers (CVE-2018-12130, aka the Zombieload attack, or RIDL), and uncacheable memory (CVE-2019-11091). At the time, Zombieload was deemed the most dangerous of all four MDS attacks because it could retrieve more
This time a new variant (v2) of the data-leaking side-channel vulnerability also affects the most recent Intel CPUs, including the latest Cascade Lake, which are otherwise resistant against attacks like Meltdown, Foreshadow and other MDS variants (RIDL and Fallout).
Initially discovered in May this year, ZombieLoad is one of the three novel types of microarchitectural data sampling (MDS) speculative execution vulnerabilities that affect Intel processor generations released from 2011 onwards.
The first variant of ZombieLoad is a Meltdown-type attack that targets the fill-buffer logic allowing attackers to steal sensitive data not only from other applications and the operating system but also from virtual machines running in the cloud with common hardware.
ZombieLoad v2 Affects Latest Intel CPUs
Now, the same group of researchers has disclosed details of a second variant of the vulnerability, dubbed ZombieLoad v2 and tracked as CVE-2019-11135, that resides in Intel’s Transactional Synchronization Extensions (TSX).
Intel TSX provides transactional memory support in hardware, aiming to improve the performance of the CPU by speeding up the execution of multi-threaded software and aborting a transaction when a conflict memory access was found.
Intel has referred ZombieLoad v2 as “Transactional Synchronization Extensions (TSX) Asynchronous Abort (TAA)” vulnerability because the exploitation of this flaw requires a local attacker, with the ability to monitor execution time of TSX regions, to infer memory state by comparing abort execution times.
ZombieLoad v2 affects desktops, laptops, and cloud computers running any Intel CPUs that support TSX, including Core, Xeon processors, and Cascade Lake, Intel’s line of high-end CPUs that was introduced in April 2019.
Microcode Patches Available for ZombieLoad v2
Researchers warned Intel about ZombieLoad Variant 2 on April 23, the same time they discovered and reported the other MDS flaws that the chipmaker patched a month later in May.
On May 10, the team also informed Intel that the ZombieLoad Variant 2 attack works against newer lines of the company’s CPUs, even when they include hardware mitigations against MDS attacks.
Intel asked the researchers not to disclose the details of Variant 2 until now when the chipmaker came up with security patches with a microcode update that addresses this vulnerability.
The company has also provided MDS mitigations for operating system developers, virtual machine manager (VMM) developers, software developers using Intel SGX, and system administrators.
For more details on the new ZombieLoad variant, you can head on to the original research paper published by researchers in May, which has now been updated to add information on the second variant as well.
Meanwhile, Red Hat has also released a script using which users can detect if their Intel-powered system is also vulnerable to this flaw.
