Yesterday was an exciting day for IT security. A security vulnerability in WhatsApp Messenger was discovered, many patches were played out on Patch-Tuesday but the evening had a surprise for IT security. Four attacks on Intel processors were released at the same time.
MDS attacks on Intel processors
The researchers call their MDS attacks, namely RIDL (Rogue In-Flight Data Load) and Fallout, and Intel calls them Michroarchitectural Data Sampling attacks, as data from different channels are merged to intercept currently processed data and reconstruct secret information from it. This data can be passwords or kernel information, for example. According to researchers at KU Leuven, the attack is a real threat to all computer systems and applications that are computed by Intel chips. The MDS attacks are a systematic continuation of the gaps Spectre and Meltdown discovered last year. The attacks belong to the category “speculative execution attacks”. At mdsattacks.com you can find more information, demo videos and an interactive graphic to better understand the concept of “speculative execution attacks”.
ZombieLoad attack on Intel processors
An attack discovered by the TU Graz is ZombieLoad. It is also a speculative execution attack and a direct successor of Meltdown and Spectre. By using the so-called bypass logic of the Intel CPU when loading return values, it is possible to find out data about processes, privilege limits, and values loaded within Intel SGX enclaves and between VMs. Code that exploits this vulnerability works on Windows, Linux and other operating systems because it is a hardware problem, not a software problem. An example given by the researchers is reading the browser history. The only way the researchers see to prevent ZombieLoad and MDS attacks is to completely disable hyperthreading in current and previous Intel processors. This would probably lead to CPU performance drops.
Data Bounce Attack on Intel Processors
The website cpu.fail provides a point of contact for all published vulnerabilities. It also points to another attack called Data Bounce which attacks patched Intel CPUs with a meltdown-like attack. The researchers also found that Spectre v1 gadgets can also be used with Data Bounce and can therefore also read private data. The attack shows that the researchers can read arbitrary data from the kernel and that the current countermeasures, even at the hardware level, are not sufficient.
What can I do about the gap in Intel processors
As a user yourself, you can do little. The attacks work so close to the hardware that your anti-virus software probably does not detect any manipulation. Log files are also unlikely to tell you whether a system has been compromised by one of the attacks or not. Intel has temporarily patched the current vulnerabilities, but a structural problem is emerging that will hopefully be given more attention in future generations of processors. The user can, for example, be trained by phishing campaigns or awareness trainings as he wants, applications or processes can also be put to the test in the context of a penetration test, there remains a problem: If ultimately the hardware is not trustworthy, an attack vector via the hardware always remains open. And this attack vector is extremely critical, because secrets such as authentication information or secrets are always stored in some sort of hardware circuit.