A new Intel vulnerability was disclosed yesterday that lets attackers steal data as processes run on most machines using Intel chips. The flaw affects nearly every Intel processor released in the past decade and is especially dangerous in multi-user environments like virtualized servers in data centers.
Intel calls it Microarchitectural Data Sampling, but the flaw is more commonly referred to as ZombieLoad, and variants discovered by researchers include Fallout and RIDL.
According to Intel spokesperson Leigh Rosenwald, the problem is already addressed at the hardware level in many recent eighth-generation and ninth-generation Intel Core processors, as well as the second-generation Intel Xeon scalable processor family.
"For other affected products, mitigation is available through microcode updates, coupled with corresponding updates to operating system and hypervisor software," she said.
She recommended that data center security managers check Intel's Deep Dive page for more information.
According to Rosenwald, this is a low to medium-severity vulnerability. "Exploiting these vulnerabilities outside of a laboratory environment is extremely complex relative to other methods that attackers have at their disposal," she said. "And it's important to note that there are no reports of any real-world exploits of these vulnerabilities."
The flaw allows malware on a PC to eavesdrop on other applications on the same machine to, say, steal passwords. The malware would still first have to be installed using some other method, such as a phishing attack or a drive-by download.
In a data center, however, one virtual machine could eavesdrop on what's happening in another virtual machine on the same server without having to install the malware on that second VM. That's especially troubling for cloud environments, since one user could install the exploit on their own cloud VM to spy on other users.
Securing Your Data Center From ZombieLoad
Intel has already released a patch, but operating systems, hypervisors, and individual applications all need to be patched as well, especially in multi-user environments, where the patching status of other parts of the system isn't known, or if some of the patches cannot be immediately applied for some reason.
An Intel spokesperson told TechCrunch that data center systems could take a performance hit up to 9 percent once a patch for the vulnerability is applied.
Apple, Google, and Microsoft have all released patches.
How quickly should data center security managers install the patches?
It depends on what other defenses are already in place to mitigate against side-channel attacks, said Tom Hickman, VP of engineering at Edgewise Networks, a Burlington, Massachusetts-based security vendor.
It can take days, months, or even years for attackers to develop working exploits for vulnerabilities, he said. "In this case, it's a pretty sophisticated attack, and I think there would be a fairly long runway. So, you might rationalize that you might have some time."
Enterprise Strategy Group analyst Jon Oltsik agreed that ZombieLoad attacks might be difficult for attackers to launch outside of a lab environment.
"Organizations should be okay," he said. "But security best practices suggest that organizations should take proactive steps to mitigate this risk."
In enterprise data centers, managers should check asset management databases to determine which assets are vulnerable, he said. Then, they can install microcode and hypervisor patches.
"They can also turn off micro-threading, as this closes the vulnerability entirely," he said.
Data center operators providing computing as a service should make sure information about their vulnerable assets doesn't leak, since anyone using shared infrastructure could be exposed, said Satya Gupta, founder and CTO at Virsec Systems.
In some environments, it might be difficult or costly to shut down servers to do the upgrades, he said. "It's not as easy in the cloud to go and do a reboot. Lots of critical workloads could be operating on the shared infrastructure."
As additional mitigation, application developers could make sure that buffers are cleared, though this has the potential of slowing down operations.
"If you have two programs, one trusted and one not so trusted, then every time you switch between the programs you should flush the internal states," said Gupta. "There's a microcode update that Intel has provided."
Researchers disclosed the problem yesterday, and also released proof-of-concept code. That means attackers who hadn't discovered the vulnerability through their own research now know about it – and are working on developing exploits.
The researchers who exposed the Intel design flaw came from the Graz University of Technology, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany, and security firms Cyberus, BitDefender, Qihoo360, and Oracle.
The Vrije Universiteit Amsterdam has released a tool to check if your system is vulnerable.
ZombieLoad is similar to last year's Meltdown, Spectre, and Foreshadow attacks, said Jethro Beekman, technical director at Fortanix, a Mountain View, California-based security vendor.
"This is probably not the last we've seen of vulnerabilities like this," he said. "In the race to create ever-faster processors, CPU manufacturers have added a lot of performance optimizations in their hardware. It's these optimizations that are now being exploited, because they can sometimes leak sensitive data across isolation boundaries."
Data center operators need to work with their vendors to make sure there's a process in place to quickly roll out software and firmware updates, he said.
"This has traditionally been a lengthy process," he said. "One way to make it faster is for organizations to apply pressure on these vendors to be quicker.
