www.belgium.be Logo of the federal government

Critical vulnerabilities in systems running Intel CPUs manufactured since 2011 (AKA, Zombieload)

Reference: 
Advisory #2019-014
Version: 
1.0
Affected software: 
All systems running Intel CPUs manufactured since 2011 are vulnerable.
Type: 
Hardware-based side-channel attack which allows attackers to compromise data confidentiality, including cleartext credentials or cryptographic keys stored in memory, which could lead to complete system compromise.
CVE/CVSS: 
  • CVEs: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 
  • CVSS Score: 6.5
Date: 
15/05/2019

Sources

Risks

Complete compromise of system confidentiality, integrity, and/or availability.

Description

The Microarchitectural Data Sampling (MDS) vulnerabilities are similar to the Meltdown and Spectre vulnerabilities discovered in 2018. This newly-disclosed class of vulnerabilities affecting all Intel CPUs manufactured since 2011 has been given the nickname Zombieload. The researchers who discovered these vulnerabilities cooperated with Intel and major operating system vendors to do coordinated disclosure. At this time, there are no known cases of exploitation in the wild. However, with the release of proof-of-concept demos by the security researchers and the upcoming presentation of their paper at the IEEE Symposium on Security and Privacy on 20 May, it is only a matter of time before we start to see this class of vulnerabilities being exploited on a wide scale.

Recommended Actions

We recommend the following actions:

  • Owners of Microsoft Windows systems should monitor Microsoft’s security advisory. At this time Microsoft have not yet released their microcode updates for affected Intel CPUs but they have announced their intention to release patches for Windows 10 and Server 2019 in the near future.

  • Owners of Apple systems should upgrade to Mojave 10.14.5. (Apple is not providing microcode updates for older versions of macOS.)

  • Owners of systems running other operating systems (Linux, BSD, etc) should consult the relevant website(s) for their OS and install microcode updates when they are released.

  • Be aware that installing the patches necessary to mitigate these Intel CPU vulnerabilities will likely result in a significant impact on system performance.

  • System administrators should be aware that these vulnerabilities also impact virtualized compute environments (on-premise or cloud-based) and are encouraged to consult with their vendors to assess what mitigations are available.

  • All owners of affected Intel-based systems are encouraged to consider disabling their CPU’s hyperthreading capability via the system BIOS. While this has a considerable cost in terms of system performance, it is the best known mitigation against this class of vulnerabilities.