close
Written by Anthony Carballo
on November 19, 2019

You might remember back in May when Intel published information about a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling (MDS). It was called ZombieLoad, and it even has its website https://zombieloadattack.com where you can see a PoC (Proof of Concept) and have further information.

This new variant of the ZombieLoad is now targeting the Transactional Synchronization Extensions (TSX) feature in Intel processors.

Intel TSX is a CPU feature that aims to improve performance by adding hardware transactional memory where all of the shared memory and the data it stores used all together, discarded, or aborted altogether. It allows read and writes operations to shared data without the performance overhead of lock-based memory access.

An attacker who successfully exploited this vulnerability could obtain information to compromise the user's system further.

This month Microsoft released patches for 74 vulnerabilities in their famous Patch Tuesday. From those 74, 15 are critical, addressing the new CPU side-channel attack (tracked under CVE-2019-

11135), known as ZombieLoad v2, similar to the well-known Meltdown, Spectre, and Foreshadow, the new variant may allow an attacker to steal sensitive data and keys being processed by the CPU. To fix the issue, you must apply OS updates provided by Microsoft.

 

TTPs

When an Intel TSX memory transaction is aborted, either synchronously or asynchronously, all earlier memory writes inside the transaction are rolled back to the state before the transaction start. While an Intel TSX asynchronous abort (TAA) is pending, specific loads inside the transaction that are not yet completed may read data from micro architectural structures and speculatively pass that data to dependent operations. It may cause micro architectural side effects. It can later be measured to infer the value of the data in the micro architectural structures.

 

Conclusions

Microsoft has released software updates to help mitigate these vulnerabilities. Software updates are required to get the available protections. In some cases, installing these updates may lead to a slight performance impact.

Intel states that this bug affects a wide range of Intel CPUs, including their Cascade Lake line of processors, which are not affected by other Microarchitectural Data Sampling (MDS).

To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly. Still, it could be used to obtain information that could be used to try to compromise the affected system further.

ZombieLoad v2 affects desktops, laptops, and cloud computers running any Intel CPUs that support TSX, including Core, Xeon processors, and Cascade Lake, Intel's line of high-end CPUs that was introduced in April 2019.

Exploiting this vulnerability outside the controlled conditions of a research environment is a complicated task. The vulnerability has been classified as medium severity per the industry-standard Common Vulnerability Scoring System (CVSS) since there are no reports of any of these vulnerabilities being exploited and the complexity to exploit the same.

 

CVEs

For reference, these previous vulnerabilities were tracked under:

o CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS) 

o CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS)

o CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS)

o CVE-2019-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

The newly discovered vulnerability is now tracked under:

o CVE-2019-11135- Transactional Synchronization Extensions (TSX)

Severity:

Medium

Vulnerable CPUs:

  • 10th Generation Intel® Core™ Processor Family
  • 2nd Generation Intel® Xeon® Scalable Processors
  • Intel® Xeon® W Processor Family
  • 9th Generation Intel® Core™ Processor Family
  • Intel® Xeon® Processor E Family
  • 10th Generation Intel® Core™ Processor Family
  • Intel® Pentium® Gold Processor Series
  • Intel® Celeron® Processor 5000 Series
  • 8th Generation Intel® Core™ Processors

 

Advice

The best course of action right now is to apply all the patches that were released; it is always a good practice keeping the computers up to date. It includes installing OS and microcode updates.

Intel recommends that users of the affected Intel Processors listed above, update to the latest firmware version provided by the system manufacturer that addresses these issues.

For additional microcode information about the affected products, find here a PDF from Intel, which lists all of the latest microcode updates.

 

TTPs: Tactics, techniques and procedures

CVEs: Common Vulnerabilities and Exposures

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like: