Academic researchers today disclosed details of the newest class of speculative execution side-channel vulnerabilities in Intel processors that impacts all modern chips, including the chips used in Apple devices.
After the discovery of Spectre and Meltdown processor vulnerabilities earlier last year that put practically every computer in the world at risk, different classes of Spectre and Meltdown variations surfaced again and again.
Now, a team of security researchers from multiple universities and security firms has discovered different but more dangerous speculative execution side-channel vulnerabilities in Intel CPUs.
The newly discovered flaws could allow attackers to directly steal user-level, as well as system-level secrets from CPU buffers, including user keys, passwords, and disk encryption keys.
Speculative execution is a core component of modern processors design that speculatively executes instructions based on assumptions that are considered likely to be true. If the assumptions come out to be valid, the execution continues, otherwise discarded.
Dubbed Microarchitectural Data Sampling (MDS attacks), the newest class of vulnerabilities consist of four different flaws, which, unlike existing attacks that leak data stored in CPU caches, can leak arbitrary in-flight data from CPU-internal buffers, such as Line Fill Buffers, Load Ports, or Store Buffers.
“The new vulnerabilities can be used by motivated hackers to leak privileged information data from an area of the memory that hardware safeguards deem off-limits. It can be weaponized in highly targeted attacks that would normally require system-wide privileges or deep subversion of the operating system,” BitDefender told The Hacker New.
Here’s the list of vulnerabilities derive from the newest MDS speculative execution in Intel processors:
- CVE-2018-12126—Microarchitectural Store Buffer Data Sampling (MSBDS), also known as Fallout attack.
- CVE-2018-12130—Microarchitectural Fill Buffer Data Sampling (MFBDS), also known as Zombieload, or RIDL (Rogue In-Flight Data Load).
- CVE-2018-12127—Microarchitectural Load Port Data Sampling (MLPDS), also part of RIDL class of attacks.
- CVE-2019-11091—Microarchitectural Data Sampling Uncacheable Memory (MDSUM), also part of RIDL class of attacks.
The Fallout attack is a new transient execution attack that could allow unprivileged user processes to steal information from a previously unexplored microarchitectural component called Store Buffers.
The attack can be used to read data that the operating system recently wrote and also helps to figure out the memory position of the operating system that could be exploited with other attacks.
images from Hacker News