Category: ZombieLoad

Guest writer – Jason Broccardo – zoocoup.org – Twitter @zoocoup

Editor’s Note: This post is MrMacintosh.com’s first guest article. Jason posted a summary of this new venerability last night. It immediately reminded me of how he owned the coverage of the 10.14.4 Gmail problem and before that Spectre & Meltdown Vulnerabilities. Last night I posted an article on how to mitigate the issue (Disable Hyper-Threading) if you are looking for a detailed step by step .

Last Updated: Tue May 14 20:41:42 CDT 2019

Microarchitectural Data Sampling (MDS) Vulnerabilities Summary

At this point there are four identified vulnerabilities that all share a common root of forcing information to leak from the CPU’s buffer. Much like the Spectre vulnerabilities announced in 2018, these flaws could potentially allow the execution of malicious code or the extraction of information on machines with Intel processors (at this time ARM and AMD processors are not affected). Intel has released microcode firmware updates to address the issue at the hardware level but OS and application vendors will need to release additional software updates to patch potential exploit vectors from the software side.

The CVEs are:

• CVE-2018-12126
• CVE-2018-12127
• CVE-2018-12130
• CVE-2019-11091

These CVEs can also be referred to as RIDL, Fallout and Zombieload.

https://mdsattacks.com

https://zombieloadattack.com

New speculative execution bug leaks data from Intel chips’ internal buffers

https://arstechnica.com/gadgets/2019/05/new-speculative-execution-bug-leaks-data-from-intel-chips-internal-buffers/

New RIDL and Fallout Attacks Impact All Modern Intel CPUs

https://www.bleepingcomputer.com/news/security/new-ridl-and-fallout-attacks-impact-all-modern-intel-cpus/

Understanding the MDS vulnerability: What it is, why it works and how to mitigate it

https://www.redhat.com/en/blog/understanding-mds-vulnerability-what-it-why-it-works-and-how-mitigate-it?sc_cid=701f2000000tyBjAAI

MDS – Microarchitectural Store Buffer Data – CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091

https://access.redhat.com/security/vulnerabilities/mds

Side Channel Vulnerability Microarchitectural Data Sampling

https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html

OS Vendor Response

For all vendors, disabling Hyper-Threading is the recommendation for most complete mitigation but in all cases there will be a performance impact for doing so. Disabling Hyper-Threading involves manipulating EFI/BIOS/NVRAM and a restart of the computer..

“MDS is not fully mitigated if your processor supports Hyper-Threads and Hyper-Threads are enabled.” —

Microarchitectural Data Sampling (MDS)

Apple

As of May 14th, 10.14.5 looks to be the only fully patched edition of macOS as Apple has noted that the version of Safari 12.1.1 included with 10.14.5 (Safari 12.1.1 also exists for macOS 10.12 and 10.13) contains additional fixes. It’s possible Apple will clarify the position of Safari 12.1.1 in 10.12 and 10.13 at a later date. Watch the two security documents below for additional changes.

From Apple on the Performance impact of disabling hyper-threading:

“The full mitigation, which includes disabling hyper-threading, prevents information leakage across threads and when transitioning between kernel and user space, which is associated with the MDS vulnerabilities for both local and remote (web) attacks.

Testing conducted by Apple in May 2019 showed as much as a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks. Performance tests are conducted using specific Mac computers. Actual results will vary based on model, configuration, usage, and other factors.”

For Macs that support it, disabling Hyper-Threading requires booting to the Recovery Partition and editing NVRAM settings. There is no way to mass distribute these changes through MDM or script.

About the security content of macOS Mojave 10.14.5, Security Update 2019-003 High Sierra, Security Update 2019-003 Sierra

https://support.apple.com/en-us/HT210119

About the security content of Safari 12.1.1

https://support.apple.com/en-us/HT210123

Additional mitigations for speculative execution vulnerabilities in Intel CPUs

https://support.apple.com/en-us/HT210107

How to enable full mitigation for Microarchitectural Data Sampling (MDS) vulnerabilities

https://support.apple.com/en-ca/HT210108

These Mac models may receive security updates in macOS Mojave, High Sierra or Sierra, but are unable to support the fixes and mitigations due to a lack of microcode updates from Intel:

• 1. MacBook (13-inch, Late 2009)
• 2. MacBook (13-inch, Mid 2010)
• 3. MacBook Air (13-inch, Late 2010)
• 4. MacBook Air (11-inch, Late 2010)
• 5. MacBook Pro (17-inch, Mid 2010)
• 6. MacBook Pro (15-inch, Mid 2010)
• 7. MacBook Pro (13-inch, Mid 2010)
• 8. iMac (21.5-inch, Late 2009)
• 9. iMac (27-inch, Late 2009)
• 10. iMac (21.5-inch, Mid 2010)
• 11. iMac (27-inch, Mid 2010)
• 12. Mac mini (Mid 2010)
• 13. Mac Pro (Late 2010)

Microsoft

Windows guidance to protect against speculative execution side-channel vulnerabilities

https://support.microsoft.com/en-us/help/4457951/windows-guidance-to-protect-against-speculative-execution-side-channel

ADV190013 | Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities

This article contains a chart (“Security Updates”) that provides links to the OS-appropriate update

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190013

Windows client guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

Summary of Intel microcode updates

https://support.microsoft.com/en-us/help/4093836/summary-of-intel-microcode-updates

Ubuntu

Kernel updates are available for Ubuntu 14.04 through 10.04

https://usn.ubuntu.com/3977-1/

Microarchitectural Data Sampling (MDS)

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS

Amazon Linux

Kernel update (ALAS-2019-1205) is available

https://alas.aws.amazon.com/ALAS-2019-1205.html

Redhat

Kernel and microcode updates are available for RHEL 6, 7 and 8

https://access.redhat.com/security/vulnerabilities/mds

Google

Hyper-threading has been disabled in ChromeOS 74

https://support.google.com/faqs/answer/9330250

Application & Service Vendor Response

Amazon AWS

Amazon has not yet detailed what, if any, mitigation will be needed for AWS services.

Google Chrome

“These have been adopted by Chrome and will be included in Chrome 75 which will be released to the Stable channel on or around the 4th of June.”

https://www.chromium.org/Home/chromium-security/mds

Mozilla Firefox

“Firefox has applied the mitigation recommended by Apple on macOS,” said a Mozilla spokesperson. “The macOS mitigation will be part of our upcoming Firefox release (67) and Extended Support Release update (60.7), both scheduled for May 21.”

https://techcrunch.com/2019/05/14/intel-chip-flaws-patches-released/

VMware

ESX updates

https://kb.vmware.com/s/article/67577?lang=en_US#q=CVE-2018-12130

Fusion

Update to version 11.1.0

https://kb.vmware.com/s/article/68025?lang=en_US#q=CVE-2018-12130

Workstation

Update to version 15.1.0

https://kb.vmware.com/s/article/68025?lang=en_US#q=CVE-2018-12130

(MDS) Vulnerabilities Summary by Jason Broccardo