Microarchitectural Data Sampling / CVE-2018-12126 , CVE-2018-12127,CVE-2018-12130,CVE-2019-11091 / INTEL-SA-00233
Security vulnerabilities have been identified in Intel CPUs affecting many Intel processor. Severity has been rated as 6.5 by Intel.
CVE | Name | Severity | Score |
CVE-2018-12126 | Microarchitectural Store Buffer Data Sampling | Medium | 6.5 |
CVE-2018-12130 | Microarchitectural Load Port Data Sampling | Medium | 6.5 |
CVE-2018-12127 | Microarchitectural Load Port Data Sampling | Medium | 6.5 |
CVE-2019-11091 | Microarchitectural Data Sampling Uncacheable Memory | Medium | 3.8 |
Aliases
- Zombieload
- RIDL
- Fallout
Overview
Under certain conditions, data in microarchitectural structures that the currently-running software does not have permission to access may be speculatively accessed by faulting or assisting load or store operations. This does not result in incorrect program execution because these operations never complete, and their results are never returned to software. However, software may be able to forward this speculative-only data to a side channel disclosure gadget in a way that potentially allows malicious actors to infer the data.
Microarchitectural data sampling (MDS) includes CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, (6.5 Medium CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and CVE-2019-11091 (3.8 Low CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N). MDS speculative execution side channel methods can be used to expose data in the following microarchitectural structures:
- Microarchitectural Store Buffer Data Sampling (MSBDS) CVE-2018-12126
- Microarchitectural Fill Buffer Data Sampling (MFBDS) CVE-2018-12130
- Microarchitectural Load Port Data Sampling (MLPDS) CVE-2018-12127
- Microarchitectural Data Sampling Uncacheable Memory (MDSUM) CVE-2019-11091
Mitigation
Some current processors and future processors will have microarchitectural data sampling methods mitigated in the hardware. For processors that are affected, the mitigation for microarchitectural data sampling issues includes overwriting store buffers, fill buffers, and load ports before transitioning to possibly less-privileged code.
There are two methods to clear microarchitectural structures affected by MDS: MD_CLEAR
functionality1 and software sequences. On processors that enumerate MD_CLEAR
2, developers can use the VERW
instruction or L1D_FLUSH
command3
to cause the processor to overwrite buffer values that are affected by
MDS, as these instructions are preferred to the software sequences.
Details of how to implement these mitigation methods, as well as mitigation information for hyperthreaded environments, can be found in the Deep Dive: Intel Analysis of Microarchitectural Data Sampling.
OS and Driver Developers
The OS can execute the VERW
instruction to overwrite any
protected data in affected buffers when transitioning from ring 0 to
ring 3. This will overwrite protected data in the buffers that could
belong to the kernel or other applications.
OS developers can find more information on implementing the VERW
instruction and more on System Management Mode (SMM), refer to the Deep Dive: Intel Analysis of Microarchitectural Data Sampling.
System Administrators
Always keep your systems up to date with the latest security updates, and follow the guidance from your OS and VMM vendors.
For more information, you can refer Intel’s security announcement:
https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling