SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
ZombieLoad: Another batch of flaws affect Intel chips
Thu, 16th May 2019
FYI, this story is more than a year old

There's no denying that Intel CPUs are in a large proportion of the world's modern computers – and Intel is no stranger to being in the firing line when it comes to security flaws.

Following on from the controversy that vulnerabilities dubbed ‘Meltdown' and ‘Spectre' could essentially allow attackers to gain access to the computer's memory systems. Once, in, attackers could steal information from the kernel and cached files, such as passwords, logins and other credentials.

But now there's a new vulnerability in Intel-powered computers that, if exploited, could allow attackers to ‘leak information data from an area of the memory that hardware safeguards deem off-limits,' says Bitdefender.

That vulnerability is called ‘ZombieLoad' and affects all types of Intel chips that have been manufactured since 2011. However, it doesn't affect AMD and ARM chips as the Meltdown and Spectre vulnerabilities did.

“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system. Additionally, it has an extremely large impact on cloud service providers and multi-tenant environments, as a potentially bad neighbour can leverage this flaw to read data belonging to other users," Bitdefender continues.

“This is a flaw that stems from a hardware design issue, a general fix to plug this vulnerability is impossible and has likely existed in Intel systems for a significant period."

While these vulnerabilities are only proof-of-concepts and haven't been exploited by attackers (or at least none that vendors know of), the level of skill required to conduct an attack of this type would mean that it's not likely to become a mass security crisis.

ZombieLoad comprises four vulnerabilities: CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS); CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS); CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS); and CVE-2019-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM).

It uses a tactic known as Microarchitectural Data Sampling. Sophos explains in a blog:

“It is a flaw in Intel processor hardware, meaning that it affects any operating systems running on x86 chips, including Windows. It uses Intel's speculative execution feature to pilfer other programs' data.

Microsoft, Apple and Google have already released patches to do what they can for a fix. Intel has also released a microcode patch for its CPUs. Microsoft notes that the vulnerabilities affect systems including Android, iOS, Linux, and MacOS so customers should look to their device vendors for more information.

“This vulnerability represents a scary reality that's actually been around for a quite a while – attackers exploiting the identities of machines to obtain sensitive data. Things like code signing keys, TLS digital certificates, SSH keys are all incredibly valuable targets, and chip vulnerabilities like this make it possible for hackers to steal these critical security assets when running on nearby cloud and virtual machines,” comments Venafi's VP of security strategy and threat intelligence, Kevin Bocek.

“Some security professionals have forgotten about Heartbleed, but this vulnerability proves that we should expect similar attacks in the future. Security teams need to accept that they won't be able to avoid vulnerabilities like ZombieLoad; instead they need to focus on protecting the keys and certificates attackers are targeting. Properly responding to a chip vulnerability requires complete visibility of where all keys and certificates are located, intelligence on how they are being used and the automation to replace them in seconds, not days or weeks. Security professionals should consider vulnerabilities like ZombieLoad a dress rehearsal for the day quantum computing breaks all machine identities."