Fresh Spectre Vulnerabilities May Force Cloud Providers to Disable Intel Hyper-Threading
Last year, when the news of the Spectre processor vulnerability first surfaced, observers warned that it would probably be the first of other possible flaws found in the speculative execution of Intel (and other) processors. On Tuesday, multiple sets of researchers collectively revealed four additional Spectre-related flaws, collectively dubbed Microarchitectural Data Sampling (MDS).
The flaws affect all operating systems running on all Intel processors built since 2011, both desktop and server varieties. They could allow an attacker to surreptitiously collect sensitive data in memory, such as passwords or tokens. No known attacks have been spotted in the wild, according to Intel.
While software providers rush patches out, end-users will still pay a performance penalty, as part of the remediation involves shutting off the performance-enhancing Hyper-Threading feature in Intel chips.
“This vulnerability is probably of greatest impact to dense, multi-tenant public cloud providers. In single-user environments, it’s far less interesting than in places where one tenant may be able to spy on another,” Twistlock Chief Technology Officer John Morello wrote in an e-mail.
Because disabling Hyper-Threading will slow the processor speeds — Apple, for example, has seen “up to 40%” degradation in server performance from disabling Hyper-Threading — such measures “could introduce real costs from the loss of available density in these cloud providers’ environments,” he wrote.
Cloud provider DigitalOcean, for instance, has advised its users to update the kernels of their “Droplets” (virtual machines) as well as apply the latest available bug fixes and security patches.
Ghost in the Machine
As disclosed last year, Spectre can be used to leak data from a single process, by abusing branch prediction and speculative execution of Intel microprocessors. MDS is a sub-class of these Spectre vulnerabilities. “MDS techniques are based on a sampling of data leaked from small structures within the CPU using a locally executed speculative execution side channel,” Intel stated on an information page. A Red Hat advisory summarized the four techniques thusly:
- CVE-2018-12126 (nicknamed “Fallout”) is a flaw that could lead to information disclosure from the processor store buffer (rated with a severity impact of Important).
- CVE-2018-12127 is an exploit of the microprocessor load operations that can provide data to an attacker about CPU registers and operations in the CPU pipeline (Severity impact: Moderate).
- CVE-2018-12130 (“ZombieLoad”) involves the implementation of the microprocessor fill buffers and can expose data within that buffer (Severity impact: Moderate).
- CVE-2019-11091 is a flaw in the implementation of the “fill buffer,” a mechanism used by modern CPUs when a cache-miss is made on L1 CPU cache (Severity impact: Moderate).
The vulnerabilities can be remedied by a combination of updating the CPU microcode, applying kernel patches, and disabling Hyper-Threading.
Red Hat has already released kernel security updates to address these vulnerabilities, Red Hat Atomic Host, Red Hat OpenStack Platform, Red Hat Virtualization (RHV/RHV-H), Red Hat Enterprise Linux, going back to RHEL 5. It also advised container users to update their dependencies, notably kernel, kernel-rt, libvirt, qemu-kvm, qemu-kvm-rhev, and microcode_clt.
This video from the ZombieLoad site offers a demo of how the vulnerability could be used to gather personal information from a browser:
While much security research around speculative execution has focused on Intel processors, other processor architectures such as AMD’s and ARM’s also use similar predictive processing techniques and so could be vulnerable to similar attacks as well, pointed out SANS Institute Instructor and Analyst Jake Williams, in a webcast from last year.