MDS- Intel's chip vulnerabilities strikes back
By Ashish Chhatani - May 16, 2019
Remember the Spectre and Meltdown vulnerabilities identified in Intel and AMD’s processors? Yes, how can one forget those? It took the infosec world by storm. The vulnerabilities were caused due to weakness which was residing in Speculation Execution operation and attacked side channels. The same class of vulnerabilities were identified lately in Intel’s processors. As reported by Intel, The security researchers found 4 flaws named as Zombieload and are sub-class of previously disclosed speculative execution side channel vulnerabilities and is comprised of four related techniques.
Under certain conditions, MDS provides a program the potential means to read data that program otherwise would not be able to see. These techniques exploit speculative operations accessing data in micro-architectural structures in the CPU to expose bits of information through a side channel. These structures are small and frequently over written. Practical exploitation of MDS is a very complex undertaking. MDS does not, by itself, provide an attacker with a way to choose the data that is leaked.
MDS Vulnerabilities, Severity and Score
Intel released microcode updates to address these potential risks. The updates give software the ability to overwrite those small structures and are being delivered through firmware updates from your system manufacturer.
No known exploits available for MDS outside of research environment.
MDS only refers to methods that involve micro-architectural structures other than the level 1 data cache (L1D) and thus does not include Rogue Data Cache Load (RDCL) or L1 Terminal Fault (L1TF).
Store buffers, fill buffers, and load ports are much smaller than the L1D, and therefore hold less data and are overwritten more frequently.
It is also more difficult to use MDS methods to infer data that is associated with a specific memory address, so malicious actors may need to collect significant amounts of data and analyze it to locate any protected data.
Affected Products and Patch Status
MDS is addressed in hardware starting with select 8th and 9th Generation Intel Core processors, as well as the 2nd Generation Intel Xeon Scalable processor family.
Intel has started rolling out the microcode updates for the affected products. The update is already in production for most of the products.
End users and systems administrators need to check with their system manufacturers and system software vendors and apply any available updates as soon as practical.
Intel has provided the list of affected products in the research paper.
Impact on Cloud Product and OS
Various cloud providers have provided the updates and instructions to tackle this vulnerability.
Amazon Web Services:
In the blog post AWS informed that- “AWS has designed and implemented its infrastructure with protections against these types of bugs, and has also deployed additional protections for MDS. All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level. Updated kernels and microcode packages for Amazon Linux AMI 2018.03 and Amazon Linux 2 are available in the respective repositories (ALAS-2019-1205). As a general security best practice, it is recommended that customers patch their operating systems or software as relevant patches become available to address emerging issues. ”
Google Cloud Platform:
From the Google Cloud Infrastructure perspective, the infrastructure that runs Google Cloud and isolates customer workloads from each other is protected against known attacks. No additional user or customer action needed to protect Google Cloud's infrastructure. For some Cloud products, customers may need to patch their runtime environments; see product-specific entries below for guidance.
While from Google App Engine Standard Environment, Cloud Run, Cloud Functions, the infrastructure that runs Google App Engine Standard, Cloud Run, and Cloud Functions and isolates customer workloads from each other is protected against known attacks. No additional user or customer action needed.
No actions required from Google Cloud SQL and Google cloud Data flow front.
Apple has released security updates in macOS Mojave 10.14.5 to protect against speculative execution vulnerabilities in Intel CPUs. It is recommended to update the system to the latest version. Here’s the link to refer for Apple security update for MDS vulnerabilities.
Redhat has provided the script to check whether the OS/service is vulnerable or not in its patch update release notes.
Here’s the link to Redhat patch update.
Microsoft has deployed mitigations across all the cloud services. The infrastructure that runs Azure and isolates customer workloads from each other is protected. This means that a potential attacker using the same infrastructure can’t attack your application using these vulnerabilities.
Azure cloud services- just need to enable auto update or need to make sure we’re using the latest Guest OS. Other Azure PaaS Services- There is no action needed for customers using these services. Azure automatically keeps your OS versions up-to-date.