Last year we covered the SPECTRE and MELTDOWN vulnerabilities that affected Intel processors. This year security researchers have discovered a new series of vulnerabilities around the Microacrhitecture Data Sampling MDS process. This vulnerability would allow an attacker to read data as it crossed the L1 and L2 data caches on the processor. These vulnerabilities can affect cloud computing services, and be leveraged by attackers to escape software containers such as Docker, hypervisors, and virtual machines. They can also use these vulnerabilities to scrape passwords, credit card numbers, and other valuable PII.
The good news, these only affect Intel processors, AMD and ARM processors are not affected. There have been recently released patches from Microsoft, including updates for Windows XP and Windows Server 2003, both of which are past support dates. This gives us an idea about the seriousness of these vulnerabilities. Patches have been released for Linux 5.1.2, 5.0.16, 4.19.43, 4.14.119, and 4.9.176 kernels.
There are four new CVEs for this vulnerability:
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS) – CVSS score 6.5: Medium, exploited by Fallout attack
CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS) – CVSS score 6.5: Medium, exploited by RIDL attack
CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS) – CVSS score 6.5: Medium, exploited by RIDL and ZombieLand attacks
CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM) – CVSS score 3.8: Low, exploited by RIDL attack
Disabling simultaneous multi-threading, known as Intel Hyper-Threading Technology, is your best immediate solution. Intel is also providing CPU micro-code to computer manufacturers, but release and deployment is bound to take some time.