ZombieLoad: Serious Intel Processors Security Flaw

ZombieLoad is security flaw in Intel processors that allows malicious hacker to steal any data that’s been recently accessed by the processor.

Security researchers discovered security flaw in Intel processors allows malicious hacker to steal any data that’s been recently accessed by the processor. This security flaws called ZombieLoad and almost every computer with an Intel chips since 2011 (Ivy Bridge) are affected by the vulnerabilities.

ZombieLoad is the latest of serious security flaws that take advantage of a process, known as speculative execution, that’s built into most modern processors. The speculative execution helps processors predict execute future commands from application or operating system might needed next, making application or operating system run faster and efficient. The processor will execute its predictions.

If the prediction was wrong, the pipeline is flushed, and any speculative results are squashed in the reorder buffer. The process leaves some gaping vulnerabilities for attackers to utilize a cache-based covert channel to transmit the secret data observed transiently from the microarchitectural domain to an architectural state.

ZombieLoad will leak any data that is recently accessed or accessed in parallel on the same processor core.

Apps are usually only able to see their own data, but this bug allows that data to bleed across the apps or even isolated virtual machine. It can be exploited to see which websites a person is visiting in real-time, grab passwords or access tokens used to log into a victim’s online accounts.

Who Affected to This Bug?

Any PCs, laptops, workstations, cloud computers / servers that use Intel Processor since Ivy Bridge chips (2011) may be affected. Security researcher provide ZombieLoad PoC in 2 variants (Linux and Windows) and verify the ZombieLoad attack on Intel processor generations released from 2011 onwards.

SetupCPUµ-archStatus
LabCore i7-3630QMIvy BridgeAffected
LabCore i7-6700KSkylake-SAffected
LabCore i5-7300UKaby LakeAffected
LabCore i7-7700Kaby LakeAffected
LabCore i7-8650UKaby Lake-RAffected
LabCore i7-8565UWhiskey LakeNot Affected
LabCore i7-8700KCoffee Lake-SAffected
LabCore i9-9900KCoffee Lake-RNot Affected
LabXeon E5-1630 v4Broadwell-EPAffected
CloudXeon E5-2670Sandy Bridge-EPAffected
CloudXeon Gold 5120Skylake-SPAffected
CloudXeon Platinum 8175MSkylake-SPAffected
CloudXeon Gold 5218Cascade Lake-SPNot Affected

Note about the ZombieLoad PoC codes

  1. You are responsible for protecting yourself, your property and data, and others from any risks caused by this code. This code may cause unexpected and undesirable behavior to occur on your machine. This code may not detect the vulnerability on your machine.
  2. If you find that a computer is susceptible to ZombieLoad, you may want to avoid using it as a multi-user system. ZombieLoad breaches the CPU’s memory protection. On a machine that is susceptible to ZombieLoad, one process can potentially read all data used by other processes or by the kernel.
  3. The code is only for testing purposes. Do not run it on any productive systems. Do not run it on any system that might be used by another person or entity.

This video show how malicious user can monitor the websites the victim is visiting despite using the privacy-protecting Tor browser in a virtual machine which are meant to be isolated from other virtual systems and their host device. It can be exploited to grab passwords or access tokens used to log into a victim’s online accounts.

Patch, Mitigation Techniques and Performance Degradation Effect

The safest workaround to prevent this attack is running trusted and untrusted applications on different physical machines.

Disabling Hyperthreading completely does not close the door on attacks on system call return paths that leak data from kernel space to user space. In other hand, disabling Hyperthreading is not feasible for performance especially for cloud services / servers.

Fixing those vulnerabilities has required patching processors in ways that can slightly slow them down. But the fixes don’t cut off the attack vector entirely. Intel has released microcode to patch vulnerable processors, including Intel Xeon, Intel Broadwell, Sandy Bridge, Skylake and Haswell chips.

Apple

Apple has released security updates in macOS Mojave 10.14.5 to protect against speculative execution vulnerabilities in Intel CPUs. Most users (common usage of Mac) won’t experience any reduced in performance but, testing conducted by Apple in May 2019 showed as much as a 40% reduction in performance for those who opt-in to the full set of mitigations that include multithreaded workloads and public benchmarks. Performance tests are conducted using specific Mac computers. Actual results will vary based on model, configuration, usage, and other factors.

List unsupported Mac Model to the fixes and mitigations due to a lack of microcode updates from Intel can be found here. On the other hand, iPhones, iPads and Apple Watch devices aren’t affected by the bugs.

Google

Google confirmed release patches Android and update Chrome to mitigate on Intel-based Chrome OS devices, updates are handled by Chrome OS. For Intel-based systems that are not Chrome OS devices, users should contact their device manufacturer for available updates.

Some GCP products require user action, see Google Cloud Platform Products and Services. Chrome users should follow guidance from their operating system vendor in relation to MDS mitigation, and ensure they keep Chrome up to date.

Microsoft

Microsoft has released patches for its operating system and cloud. Customers may need to obtain directly from their device maker microcode updates for their processor. Microsoft is pushing many of the microcode updates itself through Windows Update, but they are also available from its website.

According to TechCrunch in a call with Intel, the update would have an impact on processor performance. Most patched consumer devices could take a 3% performance slower, and as much as 9% in a datacenter environment. But, it was unlikely to be noticeable in most scenarios.

Credits

ZombieLoad was discovered and reported by Michael Schwarz, Moritz Lipp, Daniel Gruss (Graz University of Technology), Jo Van Bulck (imec-DistriNet, KU Leuven) and hmad “Daniel” Moghimi (Worcester Polytechnic Institute) and Scientific analysis research team Julian Stecklina and Thomas Prescher (Cyberus Technology).

References