True to its name, Intel CPU flaw ZombieLoad comes shuffling back with new variant

Intel is once again moving to patch its CPU microcode following the revelation of yet another data-leaking side-channel vulnerability.

The same group of university boffins who helped uncover the infamous Spectre and Meltdown flaws say that a third issue, reported back in May under the name ZombieLoad, extends even further into Chipzilla's processor line than previously thought.

The ZombieLoad hole can be exploited by malware running on a vulnerable machine, or a rogue logged-in user, to snoop on processor cores and extract sensitive information from memory that should be out of bounds. In practice, this would potentially allow an attacker already on the system to lift passwords, keys, and the like from other running software.

When the bug was publicly disclosed earlier this year, Intel said its latest chips – its 8th and 9th generation Core and second-generation Xeon Scalable microprocessors – were not vulnerable to this so-called Microarchitectural Data Sampling (MDS) info leak.

That, the researchers say, is no longer the case. A previously unreported ZombieLoad eavesdropping technique will work even on fully up-to-date processors that feature Intel's Transactional Synchronization Extensions (TSX) Asynchronous Abort (TAA) mechanism – even on Meltdown and Foreshadow-resistant silicon.

The crew of Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian Stecklina, Thomas Prescher, and Daniel Gruss will today reissue their original ZombieLoad paper to say as much. There's a diff here [PDF].

"In contrast to concurrent attacks on the fill buffer, we are the first to report data leakage of recently loaded and stored stale values across logical cores even on Meltdown and MDS-resistant processors," they explained. "Hence, despite Intel's claims, we show that the hardware fixes in new CPUs are not sufficient."

As it turns out, this issue has been known to both the manufacturer and the eggheads for some time, though was kept secret by both parties so as to give Chipzilla time to develop and release a fix. With the microcode update landing today, which you should install as soon as possible on vulnerable boxes, all involved feel it is OK to emit the details.

Like the Spectre and Meltdown attacks, ZombieLoad exploits the speculative execution technique modern microprocessors use to speed up their operation.

The ZombieLoad exploit lifts data from the CPU store, fill, and load buffers, allowing a snooper to discern sensitive data thought to be walled off by Intel's security defenses. This does not allow spyware to target specific memory locations: just whatever's in the buffers. The researchers say the only way to fully resolve the flaw is to turn off speculative execution, a move that will effectively cripple CPU performance.

In this case, Intel is opting to patch the flaw as best it can with a microcode update. The fix only applies to Core and Xeon processors with TSX functionality and previously thought to immune to ZombieLoad. In other words, if you have an older chip, you should already have a ZombieLoad fix, and if you have a newer chip, you need this latest update because the built-in mitigations weren't enough.

Note that Whiskey Lake, Coffee Lake-R, and Cascade Lake-SP chips are apparently not vulnerable at all because they do not support TSX, which is required for this latest ZombieLoad exploitation.

Meanwhile, Chipzilla acknowledges this release does not fully remedy the problem.

"We believe that the mitigations for TAA and MDS substantively reduce the potential attack surface," the silicon slinger said. "Shortly before this disclosure, however, we confirmed the possibility that some amount of data could still be inferred through a side-channel using these techniques (for TAA, only if TSX is enabled) and will be addressed in future microcode updates."

Red Hat, meanwhile, has more technical details here.

It should be noted at this point that, while ZombieLoad and other side-channel attacks make for a good story, are fascinating to study, and do pose a hard-to-remove security vulnerability, they are hardly the most pressing threats out there. There is no known malware out there exploiting CPU design flaws to steal people's passwords and so on.

Side-channel vulnerabilities are notoriously difficult to reliably exploit in the wild, and require the attacker to have already achieved arbitrary code execution on the target machine, meaning in most cases the victim is already compromised to the point where a side-channel attack is of little necessity. Meanwhile, large businesses are routinely getting ransacked via spear-phishing emails and poisoned Office documents.

Users and admins should definitely test and install Intel's microcode updates for these and other side-channel attacks, though in the grand scheme of things, don't forget there are more pressing security threats out there. ®