Thanks to a mistake, the VU (Vrije Universiteit Amsterdam) revealed a huge breach of Intel chips. New vulnerabilities were discovered that are built into Intel hardware and go by various names. ZombieLoad, Fallout, or RIDL are the catchy ones; the more technical name is Microarchitectural Data Sampling (MDS). In short, these flaws allow you to read (almost) any confidential data, without having necessary additional rights. While difficult to execute, a skilled attacker could use these flaws to read memory from a virtual or containerized instance, or the underlying host system.
There is no known complete mitigation other than applying vendor software updates combined with hardware OEM-provided CPU microcode/firmware or using non-vulnerable microprocessors. All should apply vendor solutions to patch their CPUs and update the kernel as soon as patches are available. Disabling SMT for affected systems will reduce some of the attack surface, but will not completely eliminate all threats from these vulnerabilities. To mitigate the risks these vulnerabilities introduce, systems will need updated microcode, updated kernel, virtualization patches, and administrators will need to evaluate if disabling SMT/HT is the right choice for their deployments. Enable or disable “hyper threading” always takes place on the physical server or hypervisor. But if a cloud provider is used, there is no influence other than checking with the provider. However, the problem is that switching off has a negative impact on performance.
According to Amazon Web Services their infrastructure is already protected: “AWS has designed and implemented its infrastructure with protections against these types of bugs, and has also deployed additional protections for MDS. All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level.”.
For many platforms kernel upgrades are now available as well as microcode updates for the affected CPUs. Both the hypervisors and the virtual servers must be provided with updates.
Updates: Red Hat Enterprise Linux
Kernel updates:
Red Hat Enterprise Linux 6 (https://access.redhat.com/errata/RHSA-2019:1169)
Red Hat Enterprise Linux 7 (https://access.redhat.com/errata/RHSA-2019:1168)
Microcode updates:
Red Hat Enterprise Linux 6 (https://access.redhat.com/errata/RHEA-2019:1212)
Red Hat Enterprise Linux 7 (https://access.redhat.com/errata/RHEA-2019:1210)
Updates: CentOS Linux
Kernel updates:
CentOS 6 (https://lists.centos.org/pipermail/centos-announce/2019-May/023309.html)
CentOS 7 (https://lists.centos.org/pipermail/centos-announce/2019-May/023314.html)
Microcode updates:
CentOS 6 (https://lists.centos.org/pipermail/centos-announce/2019-May/023304.html)
CentOS 7 (https://lists.centos.org/pipermail/centos-announce/2019-May/023311.html)
Updates: Amazon Linux
Kernel updates:
Amazon Linux (https://alas.aws.amazon.com/ALAS-2019-1205.html)
Amazon Linux 2 (https://alas.aws.amazon.com/AL2/ALAS-2019-1205.html)
Updates: Ubuntu Linux
Kernel updates:
Ubuntu 14.04 LTS (https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11091.html)
Ubuntu 16.04 LTS (https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11091.html)
Ubuntu 18.04 LTS (https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11091.html)
Microcode updates:
Ubuntu 14.04 LTS (https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11091.html)
Ubuntu 16.04 LTS (https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11091.html)
Ubuntu 18.04 LTS (https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11091.html)
Updates: Debian Linux
Kernel updates:
Debian 9 Stretch (https://security-tracker.debian.org/tracker/CVE-2019-11091)
Debian 8 Jessie not available
Microcode updates:
Debian 9 Stretch (https://security-tracker.debian.org/tracker/CVE-2019-11091)
Debian 8 Jessie (https://security-tracker.debian.org/tracker/CVE-2019-11091)
Updates: VMware Hypervisor
Implementing Hypervisor-Specific Mitigations for Microarchitectural Data Sampling (MDS) Vulnerabilities (https://kb.vmware.com/s/article/67577)
VMware Security Advisories VMSA-2019-0008 (https://www.vmware.com/security/advisories/VMSA-2019-0008.html)
Credits to Winfried de Heiden for doing all the research!
Comments are closed