A critical side channel vulnerability has been discovered in Intel CPUs. This allows attackers to extract sensitive information from vulnerable systems. These vulnerabilities are called MDS attacks.
MDS or Microarchitectural Data Sampling are the vulnerabilities present in the Intel x86 microprocessors that result in the leak of data across protection boundaries that are supposed to be secured architecturally. These vulnerabilities read data buffers lying between different parts of processor. MDS attack is the combination of RIDL (CVE-2018–12127 and CVE-2019–11091) and Fallout (CVE-2018–12126) speculation execution attack.
RIDL or Rogue In-Flight Data Load allows attacker to exploit MDS vulnerabilities to deploy practical attacks and leak sensitive data.
Fallout allows the attacker to extract data from Store Buffers whenever a CPU pipeline stores data. The amount and type of data to be leaked will be as per the convenience of the attacker.
MDS attacks target CPU-internal buffers include Load Ports, leak arbitrary in-flight data, store buffers as well as Line fill buffers. As per researchers, MDS attacks are the combination of three side-channel attacks as well as ZombieLoad exploit.
Following CVEs have been assigned to the MSD vulnerabilities:
CVE-2018–12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
CVE-2018–12127: Microarchitectural Load Port Data Sampling (MLPDS)
CVE-2018–12130: Microarchitectural Fill Buffer Data Sampling (MFBDS)
CVE-2019–11091: Microarchitectural Data Sampling Uncacheable Memory
What is the reason behind the success of MDS attack?
MDS attacks are capable of exploiting security flaws in the hardware that are deeply ingrained in the processor. This is one of the reasons for the inability of anti-viruses to detect MDS attacks. An attacker can easily launch an attack by using malicious JavaScript in a web page, thus allowing attackers to extract sensitive information such as crypto keys or passwords. However, this is only possible if the attacker executes the code on the machine that belongs to the victim.
History of MDS attacks
In the month of June 2018, Giorgi Maisuradze, an intern at Microsoft Research at the time, discovered some of these flaws and reported it to intel.
In August 2018, an L1TF mitigation bypass was reported by Dan Horea Lutas’ team at Bitdefender.
During the month of September, RIDL authors from VU Amsterdam (VUSec) reported the RIDL class of vulnerabilities that were later acknowledged as MFBDS, MLPDS, MDSUM to Intel.
IEEE Symposium receives RIDL paper on Security & Privacy for publication on 1st of November 2018.
In the beginning of the year 2018, VUSec discussed these findings with Giorgi Maisuradze, Dan Horea Lutas’ team as well as with other researchers. After a year of research and discussion, public is informed about RIDL, Fallout as well as MDS.
What should be done in order to prevent these vulnerabilities from being exploited?
Server penetration testing helps in identifying the vulnerabilities that might be lying down.
Upgrade the patches of firmware or BIOS that are available for upgrades.
VUSec’s Giuffrida has been paid by Intel to work as a part a part of its ‘bug bounty’ program.
