The MDS attacks almost all involve the speculative execution design feature found in all modern processors.
On May 14, a new class of Intel CPU vulnerabilities was published by the microchip giant. Known as speculative execution side-channel vulnerabilities, they affect almost every Intel processor produced since 2011 – this includes a great number of servers, laptops, and smartphones. Crucially, its virtual machines on the public cloud are also impacted by these vulnerabilities.
What are the new Intel CPU Vulnerabilities?
The Intel CPU vulnerabilities — dubbed as MDS attacks (microarchitectural data sampling) — almost all involve the speculative execution design feature found in all modern processors. The vulnerabilities could leak arbitrary data from different CPU internal buffers: line fill buffers, load ports or store buffers.
This is the fourth batch of CPU vulnerabilities published in just over a year. The original Meltdown and Spectre CPU flaws were published in January 2018, with new similar vulnerabilities popping up in August 2018and November 2018. If this six-month drumbeat keeps up the pace, it’s possible that we’ll see the next wave hit in November 2019.
Is This the Work of Cyber Criminals?
If everything you’ve read so far sounds technically dense, that’s because it is. These vulnerabilities are primarily theoretical – they were discovered by academics and, to our knowledge, haven’t yet been exploited in the wild in either distributed or targeted attacks.
While they may not have yet been touched by criminals, researchers have published a proof-of-concept exploit which demonstrates how the CPUs can leak sensitive data which has been written to the memory by the OS kernel, including root passwords hash.
What Should Skybox Customers Do?
It’s important to recognize that a logic flaw in a CPU isn’t the same as a software, or other, vulnerability. Short of changing your CPU, there’s little that you can do to fully resolve these vulnerabilities. Of course, doing so would be as impractical as it would be expensive. Like the Intel CPU vulnerabilities, this is a solution that exists better in theory than it does in practice.
What we’re left with instead are numerous mitigation strategies which emerge from collaborative work between CPU vendors (like Intel) and platform vendors (like Microsoft). What businesses need to do is gain and maintain awareness of any patches created and shared by the vendors and ensure that they are applied to all relevant platforms.
This advice is well-established as industry “best-practice,” but in respect of these speculative execution side-channel vulnerabilities, we would suggest going one step further by increasing the frequency of your patch windows. Don’t stick to your regular schedule — these vulnerabilities need to be prioritized.
In this instance, Intel’s initial recommendation was that users should, “always keep [their] systems up-to-date with the latest security updates, and follow the guidance from your OS and VMM vendors”. Which is good general advice, if the patches are available (at the time that advice was published, they weren’t; now, almost a week later, they are).
The following patches were published in a coordinated release: