Microarchitectural Data Sampling / CVE-2018-12126 , CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 / INTEL-SA-00233

ID 660222
Updated 5/14/2019
Version Latest
Public

author-image

By

Disclosure date: 
2019-05-14

Published date:
 
2019-05-14

Shield Icon #74443 - Free Icons LibrarySeverity rating:
6.5 Medium

Industry-wide severity ratings can be found in the National Vulnerability Database


 Severity and Score

CVE Name Severity Score
CVE-2018-12126 Microarchitectural Store Buffer Data Sampling Medium 6.5
CVE-2018-12130 Microarchitectural Fill Buffer Data Sampling Medium 6.5
CVE-2018-12127 Microarchitectural Load Port Data Sampling Medium 6.5
CVE-2019-11091 Microarchitectural Data Sampling Uncacheable Memory Low 3.8

Aliases

  • Zombieload
  • RIDL
  • Fallout

Related Content

INTEL-SA-00233
Intel Analysis of Microarchitectural Data Sampling
List of processors potentially affected by Microarchitectural Data Sampling
Microcode revision guidance

Overview

Under certain conditions, data in microarchitectural structures that the currently-running software does not have permission to access may be speculatively accessed by faulting or assisting load or store operations. This does not result in incorrect program execution because these operations never complete, and their results are never returned to software. However, software may be able to forward this speculative-only data to a side channel disclosure gadget in a way that potentially allows malicious actors to infer the data.

Microarchitectural data sampling (MDS) includes CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, (6.5 Medium CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and CVE-2019-11091 (3.8 Low CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N). MDS speculative execution side channel methods can be used to expose data in the following microarchitectural structures:

  • Microarchitectural Store Buffer Data Sampling (MSBDS) CVE-2018-12126
  • Microarchitectural Fill Buffer Data Sampling (MFBDS) CVE-2018-12130
  • Microarchitectural Load Port Data Sampling (MLPDS) CVE-2018-12127
  • Microarchitectural Data Sampling Uncacheable Memory (MDSUM) CVE-2019-11091

MDS only refers to methods that involve microarchitectural structures other than the level 1 data cache (L1D) and thus does not include Rogue Data Cache Load (RDCL) or L1 Terminal Fault (L1TF). Store buffers, fill buffers, and load ports are much smaller than the L1D, and therefore hold less data and are overwritten more frequently. It is also more difficult to use MDS methods to infer data that is associated with a specific memory address, so malicious actors may need to collect significant amounts of data and analyze it to locate any protected data.

Mitigation

Some current processors and future processors will have microarchitectural data sampling methods mitigated in the hardware. For processors that are affected, the mitigation for microarchitectural data sampling issues includes overwriting store buffers, fill buffers, and load ports before transitioning to possibly less-privileged code.

There are two methods to clear microarchitectural structures affected by MDS: MD_CLEAR functionality1 and software sequences. On processors that enumerate MD_CLEAR 2, developers can use the VERW instruction or L1D_FLUSH command3 to cause the processor to overwrite buffer values that are affected by MDS, as these instructions are preferred to the software sequences.

Details of how to implement these mitigation methods, as well as mitigation information for hyperthreaded environments, can be found in Intel Analysis of Microarchitectural Data Sampling.

OS and Driver Developers

The OS can execute the VERW instruction to overwrite any protected data in affected buffers when transitioning from ring 0 to ring 3. This will overwrite protected data in the buffers that could belong to the kernel or other applications.

OS developers can find more information on implementing the VERW instruction and more on System Management Mode (SMM), refer to Intel Analysis of Microarchitectural Data Sampling.

Virtual Machine Monitor Developers

The VMM can execute either the VERW instruction or the L1D_FLUSH command3 before entering a guest VM. This will overwrite protected data in the buffers that could belong to the VMM or other VMs. VMMs that already use the L1D_FLUSH command before entering guest VMs to mitigate L1TF may not need further changes beyond loading a microcode update that enumerates MD_CLEAR.

For further details, refer to Intel Analysis of Microarchitectural Data Sampling.

Developers of Software Running in an Enclave

When entering or exiting Intel® Software Guard Extensions (Intel® SGX) enclaves, processors that enumerate support for MD_CLEAR 1 will automatically overwrite affected data buffers.

For further details, refer to Intel Analysis of Microarchitectural Data Sampling.

System Administrators

Always keep your systems up to date with the latest security updates, and follow the guidance from your OS and VMM vendors.

Footnotes

  1. CPUID.(EAX=7H,ECX=0):EDX[MD_CLEAR=10]
  2. Some processors may only enumerate MD_CLEAR after microcode updates.
  3. On processors that enumerate both CPUID.(EAX=7H,ECX=0):EDX[MD_CLEAR=10] and CPUID.(EAX=7H,ECX=0):EDX[L1D_FLUSH=28]
 
Software Security Guidance Home | Advisory Guidance | Technical Documentation | Best Practices | Resources