Guest writer – Jason Broccardo – zoocoup.org – Twitter @zoocoup
Editor’s Note: This post is MrMacintosh.com’s first guest article. Jason posted a summary of this new venerability last night. It immediately reminded me of how he owned the coverage of the 10.14.4 Gmail problem and before that Spectre & Meltdown Vulnerabilities. Last night I posted an article on how to mitigate the issue (Disable Hyper-Threading) if you are looking for a detailed step by step .
Last Updated: Tue May 14 20:41:42 CDT 2019
Microarchitectural Data Sampling (MDS) Vulnerabilities Summary
At this point there are four identified vulnerabilities that all share a common root of forcing information to leak from the CPU’s buffer. Much like the Spectre vulnerabilities announced in 2018, these flaws could potentially allow the execution of malicious code or the extraction of information on machines with Intel processors (at this time ARM and AMD processors are not affected). Intel has released microcode firmware updates to address the issue at the hardware level but OS and application vendors will need to release additional software updates to patch potential exploit vectors from the software side.
The CVEs are:
These CVEs can also be referred to as RIDL, Fallout and Zombieload.
New speculative execution bug leaks data from Intel chips’ internal buffers
New RIDL and Fallout Attacks Impact All Modern Intel CPUs
Understanding the MDS vulnerability: What it is, why it works and how to mitigate it
MDS – Microarchitectural Store Buffer Data – CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
https://access.redhat.com/security/vulnerabilities/mds
Side Channel Vulnerability Microarchitectural Data Sampling
https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html
OS Vendor Response
For all vendors, disabling Hyper-Threading is the recommendation for most complete mitigation but in all cases there will be a performance impact for doing so. Disabling Hyper-Threading involves manipulating EFI/BIOS/NVRAM and a restart of the computer..
“MDS is not fully mitigated if your processor supports Hyper-Threads and Hyper-Threads are enabled.” —
Microarchitectural Data Sampling (MDS)
Apple
As of May 14th, 10.14.5 looks to be the only fully patched edition of macOS as Apple has noted that the version of Safari 12.1.1 included with 10.14.5 (Safari 12.1.1 also exists for macOS 10.12 and 10.13) contains additional fixes. It’s possible Apple will clarify the position of Safari 12.1.1 in 10.12 and 10.13 at a later date. Watch the two security documents below for additional changes.
From Apple on the Performance impact of disabling hyper-threading:
“The full mitigation, which includes disabling hyper-threading, prevents information leakage across threads and when transitioning between kernel and user space, which is associated with the MDS vulnerabilities for both local and remote (web) attacks.
Testing conducted by Apple in May 2019 showed as much as a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks. Performance tests are conducted using specific Mac computers. Actual results will vary based on model, configuration, usage, and other factors.”
For Macs that support it, disabling Hyper-Threading requires booting to the Recovery Partition and editing NVRAM settings. There is no way to mass distribute these changes through MDM or script.
About the security content of macOS Mojave 10.14.5, Security Update 2019-003 High Sierra, Security Update 2019-003 Sierra
https://support.apple.com/en-us/HT210119
About the security content of Safari 12.1.1
https://support.apple.com/en-us/HT210123
Additional mitigations for speculative execution vulnerabilities in Intel CPUs
https://support.apple.com/en-us/HT210107
How to enable full mitigation for Microarchitectural Data Sampling (MDS) vulnerabilities
https://support.apple.com/en-ca/HT210108
These Mac models may receive security updates in macOS Mojave, High Sierra or Sierra, but are unable to support the fixes and mitigations due to a lack of microcode updates from Intel:
- 1. MacBook (13-inch, Late 2009)
- 2. MacBook (13-inch, Mid 2010)
- 3. MacBook Air (13-inch, Late 2010)
- 4. MacBook Air (11-inch, Late 2010)
- 5. MacBook Pro (17-inch, Mid 2010)
- 6. MacBook Pro (15-inch, Mid 2010)
- 7. MacBook Pro (13-inch, Mid 2010)
- 8. iMac (21.5-inch, Late 2009)
- 9. iMac (27-inch, Late 2009)
- 10. iMac (21.5-inch, Mid 2010)
- 11. iMac (27-inch, Mid 2010)
- 12. Mac mini (Mid 2010)
- 13. Mac Pro (Late 2010)
Microsoft
Windows guidance to protect against speculative execution side-channel vulnerabilities
ADV190013 | Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities
This article contains a chart (“Security Updates”) that provides links to the OS-appropriate update
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190013
Windows client guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
Summary of Intel microcode updates
https://support.microsoft.com/en-us/help/4093836/summary-of-intel-microcode-updates
Ubuntu
Kernel updates are available for Ubuntu 14.04 through 10.04
https://usn.ubuntu.com/3977-1/
Microarchitectural Data Sampling (MDS)
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS
Amazon Linux
Kernel update (ALAS-2019-1205) is available
https://alas.aws.amazon.com/ALAS-2019-1205.html
Redhat
Kernel and microcode updates are available for RHEL 6, 7 and 8
https://access.redhat.com/security/vulnerabilities/mds
Hyper-threading has been disabled in ChromeOS 74
https://support.google.com/faqs/answer/9330250
Application & Service Vendor Response
Amazon AWS
Amazon has not yet detailed what, if any, mitigation will be needed for AWS services.
Google Chrome
“These have been adopted by Chrome and will be included in Chrome 75 which will be released to the Stable channel on or around the 4th of June.”
https://www.chromium.org/Home/chromium-security/mds
Mozilla Firefox
“Firefox has applied the mitigation recommended by Apple on macOS,” said a Mozilla spokesperson. “The macOS mitigation will be part of our upcoming Firefox release (67) and Extended Support Release update (60.7), both scheduled for May 21.”
https://techcrunch.com/2019/05/14/intel-chip-flaws-patches-released/
VMware
ESX updates
https://kb.vmware.com/s/article/67577?lang=en_US#q=CVE-2018-12130
Fusion
Update to version 11.1.0
https://kb.vmware.com/s/article/68025?lang=en_US#q=CVE-2018-12130
Workstation
Update to version 15.1.0
https://kb.vmware.com/s/article/68025?lang=en_US#q=CVE-2018-12130
(MDS) Vulnerabilities Summary by Jason Broccardo
