Security Software

Microarchitectural Data Sampling / CVE-2018-12126 , CVE-2018-12127,CVE-2018-12130,CVE-2019-11091 / INTEL-SA-00233

2019-05-14
2019-05-14
6.5

Medium

Industry-wide severity ratings can be found in the National Vulnerability Database

Critical
Medium
High
Low

Severity and Score

CVE Name Severity Score
CVE-2018-12126 Microarchitectural Store Buffer Data Sampling Medium 6.5
CVE-2018-12130 Microarchitectural Fill Buffer Data Sampling Medium 6.5
CVE-2018-12127 Microarchitectural Load Port Data Sampling Medium 6.5
CVE-2019-11091 Microarchitectural Data Sampling Uncacheable Memory Low 3.8

Aliases

  • Zombieload
  • RIDL
  • Fallout

Overview

Under certain conditions, data in microarchitectural structures that the currently-running software does not have permission to access may be speculatively accessed by faulting or assisting load or store operations. This does not result in incorrect program execution because these operations never complete, and their results are never returned to software. However, software may be able to forward this speculative-only data to a side channel disclosure gadget in a way that potentially allows malicious actors to infer the data.

Microarchitectural data sampling (MDS) includes CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, (6.5 Medium CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and CVE-2019-11091 (3.8 Low CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N). MDS speculative execution side channel methods can be used to expose data in the following microarchitectural structures:

  • Microarchitectural Store Buffer Data Sampling (MSBDS) CVE-2018-12126
  • Microarchitectural Fill Buffer Data Sampling (MFBDS) CVE-2018-12130
  • Microarchitectural Load Port Data Sampling (MLPDS) CVE-2018-12127
  • Microarchitectural Data Sampling Uncacheable Memory (MDSUM) CVE-2019-11091

MDS only refers to methods that involve microarchitectural structures other than the level 1 data cache (L1D) and thus does not include Rogue Data Cache Load (RDCL) or L1 Terminal Fault (L1TF). Store buffers, fill buffers, and load ports are much smaller than the L1D, and therefore hold less data and are overwritten more frequently. It is also more difficult to use MDS methods to infer data that is associated with a specific memory address, so malicious actors may need to collect significant amounts of data and analyze it to locate any protected data.

Mitigation

Some current processors and future processors will have microarchitectural data sampling methods mitigated in the hardware. For processors that are affected, the mitigation for microarchitectural data sampling issues includes overwriting store buffers, fill buffers, and load ports before transitioning to possibly less-privileged code.

There are two methods to clear microarchitectural structures affected by MDS: MD_CLEAR functionality1 and software sequences. On processors that enumerate MD_CLEAR2, developers can use the VERW instruction or L1D_FLUSH command3 to cause the processor to overwrite buffer values that are affected by MDS, as these instructions are preferred to the software sequences.

Details of how to implement these mitigation methods, as well as mitigation information for hyperthreaded environments, can be found in the Deep Dive: Intel Analysis of Microarchitectural Data Sampling.

OS and Driver Developers

The OS can execute the VERW instruction to overwrite any protected data in affected buffers when transitioning from ring 0 to ring 3. This will overwrite protected data in the buffers that could belong to the kernel or other applications.

OS developers can find more information on implementing the VERW instruction and more on System Management Mode (SMM), refer to the Deep Dive: Intel Analysis of Microarchitectural Data Sampling.

Virtual Machine Monitor Developers

The VMM can execute either the VERW instruction or the L1D_FLUSH command3 before entering a guest VM. This will overwrite protected data in the buffers that could belong to the VMM or other VMs. VMMs that already use the L1D_FLUSH command before entering guest VMs to mitigate L1TF may not need further changes beyond loading a microcode update that enumerates MD_CLEAR.

For further details, refer to the Deep Dive: Intel Analysis of Microarchitectural Data Sampling.

Developers of Software Running in an Enclave

When entering or exiting Intel® Software Guard Extensions (Intel® SGX) enclaves, processors that enumerate support for MD_CLEAR1 will automatically overwrite affected data buffers.

For further details, refer to the Deep Dive: Intel Analysis of Microarchitectural Data Sampling.

System Administrators

Always keep your systems up to date with the latest security updates, and follow the guidance from your OS and VMM vendors.

Footnotes

  1. CPUID.(EAX=7H,ECX=0):EDX[MD_CLEAR=10]
  2. Some processors may only enumerate MD_CLEAR after microcode updates.
  3. On processors that enumerate both CPUID.(EAX=7H,ECX=0):EDX[MD_CLEAR=10] and CPUID.(EAX=7H,ECX=0):EDX[L1D_FLUSH=28]

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Performance varies depending on system configuration. Check with your system manufacturer or retailer or learn more at www.intel.com.

All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps.

The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request.

Intel provides these materials as-is, with no express or implied warranties.

No product can be absolutely secure.

Intel, the Intel logo, Intel Core, Intel Atom, Intel Xeon, Intel Xeon Phi, Intel® C Compiler, Intel Software Guard Extensions, and Intel® Trusted Execution Engine are trademarks of Intel Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.