Side-Channel Attacks RIDL, Fallout, and ZombieLoad Affect Millions of Vulnerable Intel Processors

Researchers found a bevy of critical vulnerabilities in modern Intel processors that, when exploited successfully, can leak or let hackers retrieve data being processed by the vulnerable CPUs. These security flaws are categorized as microarchitectural data sampling (MDS) vulnerabilities, with the side-channel attacks named ZombieLoad, Fallout, and Rogue In-Flight Data Load (RIDL).

[READ: What You Need to Know about the Meltdown and Spectre Vulnerabilities]

ZombieLoad, Fallout, and RIDL are side-channel attack methods similar to Meltdown and Spectre. These are security issues that could let hackers execute code or extract sensitive data that are otherwise protected by the Intel processors’ architectural mechanisms. They are assigned these CVE identifiers:

  • CVE-2018-12126 — Microarchitectural Store Buffer Data Sampling
  • CVE-2018-12127 — Microarchitectural Load Port Data Sampling
  • CVE-2018-12130 — Microarchitectural Fill Buffer Data Sampling
  • CVE-2019-11091 — Microarchitectural Data Sampling Uncacheable Memory

The researchers who discovered and reported about ZombieLoad, Fallout, and RIDL are affiliated with the Graz University of Technology, Worcester Polytechnic Institute, Helmholtz Center for Information Security (CISPA), University of Michigan, KU Leuven, University of Adelaide; research groups imec-DistriNet, VUSec, and Data61; and cybersecurity firm Cyberus Technology. A list of all the researchers involved in the reports can be found in their websites.

[READ: An Overview of the Foreshadow/L1TF Intel Processor Vulnerabilities]

Like Meltdown and Spectre, ZombieLoad, Fallout, and RIDL exploit the way the vulnerable Intel processors implement speculative execution, a performance improvement feature that predicts the operations or data the processor will execute.

While there are currently no known attacks actively exploiting these vulnerabilities in the wild, they can still pose security risks.

[RELATED NEWS: Spectre Next Generation: New Intel CPU Vulnerabilities Found]

ZombieLoad takes its moniker from what the researchers termed as “zombie loads,” which are data the processor cannot properly process. This data load forces the processor to use microcode, which are normally used to fix bugs, to prevent it from crashing. An application is typically only allowed to read their own data, but ZombieLoad allows that application’s data to leak from the processor’s core.

ZombieLoad can also be carried out to leak data loaded in virtual machines, specifically the hypervisor. This can pose a security risk in cloud environments, especially when different virtual machines run on the same server.

ZombieLoad could also allow hackers to monitor a user’s web browsing behavior, e.g., fingerprint the websites’ content and recover their URLs. In their proof of concept, the researchers showed how this technique can be repurposed to steal credentials. ZombieLoad affects Intel chips dating back to 2011. Processors from Advanced Micro Devices (AMD) and Advanced RISC Machine (ARM) are reportedly not affected.

[Trend Micro Research: Detecting Attacks that Exploit Meltdown and Spectre with Performance Counters]

The Fallout MSD attack can leak data from store buffers, which are used by the processor’s pipeline — a series of instructions from the CPU designed to make computers run faster — to hold or store data. A hacker can then handpick what data should be leaked from the processor’s store buffers.

Fallout can also be used to bypass kernel address space layout randomization (KASLR), a countermeasure against memory corruption vulnerabilities. Fallout can also leak data that the operating system's kernel writes to the memory.

The researchers noted that the measures placed in the latest i9 CPUs (Coffee Lake Refresh) to mitigate Meltdown make them more susceptible to Fallout.

[Technical Analysis: When Speculation is Risky: Understanding Meltdown and Spectre]

Meanwhile, RIDL can be used to leak data from the vulnerable CPU’s various internal buffers (portions of allocated memory used to store or load data). The researchers’ proofs of concept demonstrated how RIDL can be used in a Linux environment to leak root passwords, kernel data, and a string of information from another process.

The researchers noted that RIDL can let hackers steal data from other programs running on the same system. This could range from other applications/software, the operating system's kernel, cloud-based or virtual machines, and even Intel processor’s own enclaves. RIDL reportedly affects devices fitted with Intel chips from as early as 2008.

[READ: Proof of concept shows how malware can hide from AV solutions via Intel’s SGX enclaves]

ZombieLoad, Fallout, and RIDL exemplify a trend that Trend Micro observed in last year’s threat landscape: an increase of disclosures of processor-level and hardware-based vulnerabilities. Given the complexity of these flaws, they can be challenging to mitigate. While there are no reports of in-the-wild attacks, the impact could be pervasive as they affect devices that are powered by the vulnerable processors.

The researchers have various workarounds to mitigate attacks that exploit MSD flaws, such as disabling or configuring certain vulnerable components in the processor (e.g., disabling Hyper-Threading, flushing CPU buffers). And as with any vulnerability, patching is also recommended. Intel has released a microcode update to patch the vulnerable processors. These vendors have also issued their own patches and security advisories/best practices: Amazon AWS, Apple, Citrix, Chromium, Google, Lenovo, Microsoft, Redhat, Ubuntu, and VMWare.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.