Microarchitectural Data Sampling / CVE-2018-12126 , CVE-2018-12127,CVE-2018-12130,CVE-2019-11091 / INTEL-SA-00233

Microarchitectural Data Sampling / CVE-2018-12126 , CVE-2018-12127,CVE-2018-12130,CVE-2019-11091 / INTEL-SA-00233

Security vulnerabilities have been identified in Intel CPUs affecting many Intel processor. Severity has been rated as 6.5 by Intel.

CVE Name Severity Score
CVE-2018-12126Microarchitectural Store Buffer Data SamplingMedium6.5
CVE-2018-12130Microarchitectural Load Port Data SamplingMedium6.5
CVE-2018-12127Microarchitectural Load Port Data SamplingMedium6.5
CVE-2019-11091Microarchitectural Data Sampling Uncacheable MemoryMedium3.8

Aliases

  • Zombieload
  • RIDL
  • Fallout

Overview

Under certain conditions, data in microarchitectural structures that the currently-running software does not have permission to access may be speculatively accessed by faulting or assisting load or store operations. This does not result in incorrect program execution because these operations never complete, and their results are never returned to software. However, software may be able to forward this speculative-only data to a side channel disclosure gadget in a way that potentially allows malicious actors to infer the data.

Microarchitectural data sampling (MDS) includes CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, (6.5 Medium CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and CVE-2019-11091 (3.8 Low CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N). MDS speculative execution side channel methods can be used to expose data in the following microarchitectural structures:

  • Microarchitectural Store Buffer Data Sampling (MSBDS) CVE-2018-12126
  • Microarchitectural Fill Buffer Data Sampling (MFBDS) CVE-2018-12130
  • Microarchitectural Load Port Data Sampling (MLPDS) CVE-2018-12127
  • Microarchitectural Data Sampling Uncacheable Memory (MDSUM) CVE-2019-11091

Mitigation

Some current processors and future processors will have microarchitectural data sampling methods mitigated in the hardware. For processors that are affected, the mitigation for microarchitectural data sampling issues includes overwriting store buffers, fill buffers, and load ports before transitioning to possibly less-privileged code.

There are two methods to clear microarchitectural structures affected by MDS: MD_CLEAR functionality1 and software sequences. On processors that enumerate MD_CLEAR2, developers can use the VERW instruction or L1D_FLUSH command3 to cause the processor to overwrite buffer values that are affected by MDS, as these instructions are preferred to the software sequences.

Details of how to implement these mitigation methods, as well as mitigation information for hyperthreaded environments, can be found in the Deep Dive: Intel Analysis of Microarchitectural Data Sampling.

OS and Driver Developers

The OS can execute the VERW instruction to overwrite any protected data in affected buffers when transitioning from ring 0 to ring 3. This will overwrite protected data in the buffers that could belong to the kernel or other applications.

OS developers can find more information on implementing the VERW instruction and more on System Management Mode (SMM), refer to the Deep Dive: Intel Analysis of Microarchitectural Data Sampling.

System Administrators

Always keep your systems up to date with the latest security updates, and follow the guidance from your OS and VMM vendors.

For more information, you can refer Intel’s security announcement:

https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to top
%d bloggers like this: