16 May Zombieload, RIDL & Fallout and Store-to-Leak Forwarding
Again 4 new execution side-channel vulnerabilities were disclosed by Intel on May 14th. Each of them has its own name but collectively they are referred to as Microarchitectural Data Sampling (mds):
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM): part of RIDL
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS): part of Fallout
- CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS): part of RIDL
- CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS): part of RIDL and Zombieload
All those vulnerabilities have a CVSS base score of 6.5 (Medium), except CVE-2019-11091 which scores 3.8 (Low).
Under certain conditions, they make it possible to speculatively access data in microarchitectural structures that the currently-running software does not have permission to access.
Luckily Intel already provided more information and a solution towards hardware and software vendors. They published more information on their website: Microarchitectural Data Sampling Advisory
What should be done to solve those vulnerabilities:
- Deploy the updated Intel CPU Microcode (check with your hardware vendor for this firmware update/patch) Important notice: not all Intel processor will get a microcode fix, an overview can be found over here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
- Update the OS
But always be careful as the patches can impact performance! This should always be tested before.
Users of Oracle Linux and/or Oracle VM
To check if you’re impacted, run following command
cat /proc/cpuinfo | grep bugs | uniq
If the output does not contain “mds”, you should upgrade as described below (also the “/sys/devices/system/cpu/vulnerabilities/mds” file will not exist in that case).
Oracle described the microcode_ctl package and OS kernel version needed within Oracle MOS note 2541410.1.
The minimum required microcode_ctl versions needed:
- Oracle Linux 6: microcode_ctl 1.17-1002
- Oracle Linux 7: microcode_ctl 2.1-47.0.4
Oracle Linux 5 systems, and Oracle VM Server prior to 3.4 must use a BIOS/ILOM/system firmware update to obtain and install the CPU microcode updates.
The minimum required kernel versions needed for Oracle Linux 6 and 7:
- UEK2: 2.6.39-400.310.1
- UEK3: 3.8.13-118.33.2
- UEK4: 4.1.12-124.26.12
- UEK5: 4.14.35-18220.127.116.11
The minimum required kernel versions needed for Oracle VM 3.4:
- OVS 3.4.4: xen-4.4.4-155.0.71
- OVS 3.4.6: xen-4.4.4-222.0.3
The Firmware version for Oracle hardware can be found within Oracle MOS note 2540606.1. As firmware patches are unique to each server type, the website of the hardware vendor should be checked for Non-Oracle hardware.
So don’t forget that both the OS and microcode/firmware need to be upgraded!
Users of Oracle Cloud
Users of the Oracle cloud should check if, depending on the Cloud infrastructure you’re using, Oracle already deployed technical mitigations. Just verify if there’s still something to be done by you or not: https://docs.cloud.oracle.com/iaas/Content/Security/Reference/MDS_response.htm
Users of Microsoft Windows
If you want to have the fix applied, just install the latest Windows Updates and make sure the KB created for your Windows version is listed to be installed (Updates will be pushed towards your system if it has been configured this way). For the list of KB patches which should be installed for each specific Windows version, please check https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013.
Microsoft’s advice for customers using Windows server operating systems is also to check Microsoft Knowledge Base Article 4072698 for additional information and workarounds.
IMPORTANT NOTE: in some cases, they advise to disable hyperthreading, however, this will have a big performance impact and should be tested carefully.
This article will be updated with additional information when we also receive more information from the vendors (Oracle and Microsoft).
Don’t forget to read our articles about previous vulnerabilities too:
- Dirty Cow: https://monin-it.be/2016/10/25/serious-linux-kernel-vulnerability-dirty-cow-announced-learn-patch-without-downtime/
- Meltdown & Spectre: https://monin-it.be/2018/01/17/meltdown-spectre-solution-linux-windows/
- L&TF Foreshadow: https://monin-it.be/2018/08/16/l1tf-foreshadow/
Hopefully, you all have the information needed now to solve the mds vulnerabilities on your servers. Monin can always help customers to apply the fixes mentioned before. Just ask us for more information about how we can help you secure your Red Hat Linux, Oracle Enterprise Linux, Oracle VM and or Microsoft Windows so it’s patched for the mds vulnerabilities.
Some interesting links:
- Oracle announcement mds: https://blogs.oracle.com/security/intelmds
- Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013
- Red Hat announcement mds: https://access.redhat.com/security/vulnerabilities/mds
- Intel Microarchitectural Data Sampling Advisory: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html
- Intel Microcode Revision Guidance: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
- Zombieload attack webpage: https://zombieloadattack.com/
- RIDL & Fallout webpage: https://mdsattacks.com/