But unbeknownst to the world, there was a fifth MDS attack at the time, which researchers kept secret because Intel had yet to release a patch.
Nicknamed Zombiload v2 (CVE-2019-11135), this is a variation of the Zombieload v1 vulnerability, but one that worked on Intel's newer line of CPUs, those which the company claimed had protections against speculative execution attacks baked in at the hardware level.
According to an updated version of the Zombieload academic paper that ZDNet received this week, the Zombieload v2 attack exploits the
Intel Transactional Synchronization Extensions (TSX) Asynchronous Abort operation that occurs when an attacker uses malicious code to create a conflict between read operations inside a CPU.
This read conflict for TSX Asynchronous Abort (TAA) operations leaks data about what's being processed inside an Intel CPU.
"The main advantage of this approach is that it also works on machines with hardware fixes for Meltdown, which we verified on an i9-9900K and Xeon Gold 5218," the research team explained in the revised version of their whitepaper.
The only condition for a Zombieload v2 attack is that the targeted CPU supports the Intel TSX instruction-set extension, which the research team said is available by default in all Intel CPUs sold since 2013.
The first Intel CPU series to have featured TSX support was the Haswell platform. Everything that came after is affected. Intel's Cascade Lake, which the company released in April this year, was supposed to be the company's first product that featured protections against side-channel and speculative execution attacks at the hardware level.
Intel's responseIn an email to ZDNet, an Intel spokesperson wanted customers to know that microcode updates will be made available for Zombieload v2 on the company's website.
Furthermore, the company added that the Zombieload v2 vulnerability (which Intel tracks as the "TAA attack" in its own documentation) is not as dangerous as it sounds.
While all the MDS attacks can allow attackers to run malicious code against an Intel CPU, attackers can't control what data they can target and extract.
MDS attacks, while very much possible, are inefficient when compared to other means of stealing data from a target, an opinion that other security experts have also expressed in the past.
However, the fact that day-to-day malware gangs won't bother exploiting something as complex as an MDS attack, or Zombieload v2, that doesn't mean the vulnerabilities should be ignored. Applying these microcode updates should be a priority for everyone who manages critical infrastructure or cloud data centers.
If users don't want to update and deal with a potential performance dip due to yet another patch for speculative execution attacks, Intel also recommending disabling the CPU's TSX support, if not used.
More bad newsBut bad news never comes alone. The same research team who found Zombieload v1 and v2, also found an issue with Intel's original patches for the four MDS attacks disclosed in May.
The VERW instruction set, which Intel claimed could be used to protect apps against MDS attacks that may attempt to extract data while being processed in the CPU, was incomplete and could be circumvented, the research team said.
When we asked Intel about this issue, the CPU chipmaker acknowledged the problem and claimed that the VERW instruction set, along with the other MDS attack protections were meant to reduce the attack surface and make exploitation harder for attackers, and not as a complete patch for MDS attacks.
A version of the
revised Zombieload whitepaper will be made available on the
Zombieload website later today. The research team will be presenting their revised findings tomorrow at the
ACM CCS conference in London.
Bookmarks