Researchers from the Technical University of Graz (Austria) information about a new method of attack through third-party channels (), which allows you to extract confidential information from other processes, the operating system, virtual machines and protected enclaves (TEE, Trusted Execution Environment). The problem only affects Intel processors. Components to block the problem in yesterday .
The problem belongs to the MDS (Microarchitectural Data Sampling) class and is a modernized version in May ZombieLoad attacks. ZombieLoad 2.0, like other MDS attacks, relies on the application of side-channel analysis techniques to data in microarchitectural structures (for example, Line Fill Buffer and Store Buffer), which temporarily store data used in the process. performing Load and Store operations).
New Zombieload attack variant on the leak that occurs during the operation of the mechanism for asynchronous interruption of operations (TAA, TSX Asynchronous Abort), implemented in the TSX (Transactional Synchronization Extensions) extension, which provides tools for working with transactional memory, which allows increasing the performance of multi-threaded applications by dynamically eliminating unnecessary synchronization operations (supported atomic transactions that can either be accepted or aborted). If interrupted, operations performed on the transactional memory region are rolled back.
The transaction abort occurs asynchronously, and during this time other threads can access the cache, which is also used in the discarded transactional memory region. During the time from the start to the actual completion of an asynchronous transaction abort, it is possible that situations may arise where the processor, during the speculative execution of an operation, can read data from internal microarchitectural buffers and transfer it to the speculative operation. The conflict will then be detected and the speculative operation discarded, but the data will remain in the cache and can be retrieved using side-channel cache recovery techniques.
The attack boils down to opening TSX transactions and creating conditions for their asynchronous interruption, during which conditions arise for leaking the contents of internal buffers speculatively filled with data from memory read operations performed on the same CPU core. The leak is limited to the current physical CPU core (on which the attacker's code is running), but since microarchitectural buffers are shared between different threads in Hyper-Threading mode, it is possible to leak memory operations performed in other CPU threads.
Attack some models of the eighth, ninth and tenth generations of Intel Core processors, as well as Intel Pentium Gold, Intel Celeron 5000, Intel Xeon E, Intel Xeon W and the second generation Intel Xeon Scalable. New Intel processors based on the Cascade Lake microarchitecture introduced in April, which was initially not susceptible to RIDL and Fallout attacks, are also susceptible to attack. In addition to Zombieload 2.0, researchers also identified the possibility of bypassing previously proposed methods of protection against MDS attacks, based on the use of the VERW instruction to clear the contents of microarchitectural buffers when returning from the kernel to user space or when transferring control to the guest system.
The Intel report states that in systems with a heterogeneous load, the ability to carry out an attack is difficult, since a leak from microarchitectural structures covers all activity in the system and the attacker cannot influence the source of the extracted data, i.e. can only accumulate information that emerges as a result of a leak and try to identify useful information among this data, without the ability to purposefully intercept data associated with specific memory addresses. However, researchers published , running on Linux and Windows, and demonstrated the ability to use an attack to determine the root user's password hash.
carrying out an attack from a guest system to accumulate data that appears in the operations of other guest systems, the host environment, the hypervisor and Intel SGX enclaves.
Fixes to block the vulnerability into the Linux kernel codebase and included in releases . Kernel and microcode updates have also already been released for major distributions (, , , , , ). The problem was identified in April and a fix was coordinated between Intel and the operating system developers.
The simplest method of blocking Zombieload 2.0 is to disable TSX support in the CPU. The proposed fix for the Linux kernel includes several protection options. The first option offers the “tsx=on/off/auto” parameter to control whether the TSX extension is enabled on the CPU (the auto value disables TSX only for vulnerable CPUs). The second protection option is enabled by the “tsx_async_abort=off/full/full,nosmt” parameter and is based on clearing microarchitectural buffers during context switching (the nosmt flag additionally disables SMT/Hyper-Threads). To check whether a system is susceptible to vulnerabilities, sysfs provides the “/sys/devices/system/cpu/vulnerabilities/tsx_async_abort” parameter.
In addition, the microcode another one () in Intel processors, which is also blocked in the latest Linux kernels. Vulnerability an unprivileged attacker to initiate a denial of service, causing the system to hang in the “Machine Check Error” state.
Attack including from the guest system.
Source: opennet.ru