Intel MDS Vulnerabilities

On 15 May 2019, NZ time, Intel announced a new group of vulnerabilities collectively known as “Microarchitectural Data Sampling”, which are a subset of previously disclosed speculative execution side channel vulnerabilities.

The vulnerabilities have been assigned the following four CVE’s:

•             CVE-2018-12126 – Microarchitectural Store Buffer Data Sampling (CVSSv3 = 6.5)

•             CVE-2018-12130 – Microarchitectural Fill Buffer Data Sampling (CVSSv3 = 6.5)

•             CVE-2018-12127 – Microarchitectural Load Port Data Sampling (CVSSv3 = 6.5)

•             CVE-2019-11091 – Microarchitectural Data Sampling Uncacheable Memory (CVSSv3 = 3.8)

Like the previous Intel chip vulnerabilities, these utilise side channel attacks against speculative performance optimisation techniques to infer data in chip components that are meant to be protected. Attacks against these vulnerabilities could allow attackers to leak private data from internal CPU buffers and Load Ports.

Successful exploitation requires malicious code to be run on a targeted system. Intel is reporting that real-world exploits, outside of controlled conditions is complex, but there are currently demonstration videos and proof of concept code published on the Internet for at least one of the vulnerabilities.

Mitigation will typically involve updates at multiple layers, including microcode, virtualisation and operating system. In some cases, full mitigation may also require additional steps, including disabling Hyper-Threading. Refer to vendor guidance to understand cases where such decisions need to be considered.

Remediation:

CCL Polaris IaaS Platform

CCL is programmatically addressing the identified vulnerabilities at the hardware, hypervisor and management software layers. Clients are responsible for patching non-CCL managed operating systems residing on the platform. Additional information will be provided through our standard change control notifications or directly from your Customer Relationship Manager.

Public Cloud Platforms

All major public cloud providers are indicating that they have taken steps to mitigate the vulnerabilities in their environments:

All major public cloud providers are indicating that they have taken steps to mitigate the vulnerabilities in their environments:

https://support.google.com/faqs/answer/9330250

https://aws.amazon.com/security/security-bulletins/AWS-2019-004/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190013

Client Dedicated Virtual Platforms, On-premise Private Cloud and On-premise Infrastructure:

For dedicated virtualisation platforms, patching may be required at the hardware microcode and operating system level in addition to the Hypervisor. Please refer to applicable vendor guidance for detailed mitigation requirements. Links for some major vendors are included below.

Recommendations:

CCL recommends that all clients assess their risk and appropriately patch systems. Standard update procedures should be appropriate for most systems. Shared environments that run untrusted code may warrant more urgent, out-of-band update procedures.

Please note that some vendors are indicating system reboots will be required for updates to be applied. Always perform thorough testing to avoid unexpected outages or performance impacts. Vendors have indicated that some performance impact should be expected.

Please contact support@concepts.co.nz or 0800 225 737, if you would like more information.

References:

Note – please hover over and validate hyperlinks prior to clicking

https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html

https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-microarchitectural-data-sampling

https://support.microsoft.com/en-nz/help/4457951/windows-guidance-to-protect-against-speculative-execution-side-channel

https://www.vmware.com/security/advisories/VMSA-2019-0008.html

https://access.redhat.com/security/vulnerabilities/mds

Brenda Caseley

About Brenda Caseley