IN A NUTSHELL:
- Researchers from several European universities and organisations have identified a further variant of the Zombieload gap;
- attack using CPU this vulnerability enables data theft within a few dozen seconds;
- The gap is present in Intel's CPU - also in the new Cascade Lake units.
According to Wired, researchers from several European universities and organizations - Vrije Universiteit (Amsterdam, Netherlands), KU Leven (Leven, Belgium), Helmholtz Center for Information Security (Saarbruecken, part of Helmholtz Association) and Austrian Graz University of Technology (located in the city of Graz) - have discovered that Intel processors from Cascade Lake line are sensitive to attacks using a new variant of ZombieLoad vulnerability (it belongs to the so-called MDS group, where we can also find Fallout and RIDL attacks).
Experts warned the company about the detected threat as early as September 2018. Intel's engineers had nearly 14 months to solve the problem, but apparently they found it not worthy of their attention. Some patches have been released that have improved the security level, but the CPU remains vulnerable to MDS attack to some extent. After the first update in May of this year, scientists contacted the processor manufacturer to point out that the solution was incomplete, but were asked to remain silent. They agreed not to make life easier for hackers, but now they decided to share the results of their work.
"The mitigation they released in May, we knew it could be bypassed. It wasn’t effective. They missed completely a variant of our attack—the most dangerous one," said Kaveh Razavi, one of the researchers from the VUSec group from Vrije Universiteit.
ZombieLoad returns from beyond the grave - even more dangerous
MDS attacks use the way the processor works to extract information from the cache. According to experts, Zombieload V2 (or TAA, from TSX asynchronous abort, where TSX is the name of the CPU function that is used for hacking in this case) is even more problematic than other attacks of this type. Why is that? Because it enables the hacker to steal information much faster. In recent months, researchers have been able to fine-tune the method and develop a technique that allows hacking into the system in just a few dozen seconds instead of a few hours or days (see the video below). It is worth noting that the time required to launch an attack was one of the main arguments Intel raised in an attempt to convince customers that its computing units are secure.
"Intel said this class of MDS attacks is very difficult to exploit. So we thought, OK, let’s use the most effective variant to demonstrate that you can do this efficiently," said VUSec's Cristiano Giuffrida.
Researchers have found that they are not sure whether Intel's latest patch, debuting today, is a complete solution. Yes, some problems have been removed, but experts believe that some processor buffers can still be used to launch an MDS attack. The fact is also admitted by... employees of the company.
"We believe that the mitigations for TAA and MDS substantively reduce the potential attack surface. Shortly before this disclosure, however, we confirmed the possibility that some amount of data could still be inferred through a side-channel using these techniques (for TAA, only if TSX is enabled) and will be addressed in future microcode updates. We continuously improve the techniques available to address such issues and appreciate the academic researchers who have partnered with Intel," wrote the manufacturer in a recent statement.
Despite being "appreciated" by the company, the experts are not satisfied with its attitude. They also revealed that Intel... once again asked them to delay the publication of their report on ZombieLoad V2. This time, however, they decided to refuse.
"We know this stuff is difficult, but we’re extremely disappointed with Intel. Our complaint with the entire process is the lack of security engineering that we see. Our impression is that they look at one variant at a time, but they’re not able to address the root cause," said the scientists.
It seems that this time Intel may have to deal with a serious problem - an attack that allows for stealing of sensitive data after several dozen seconds of contact with a computer is not a joking matter. The information could not have been published at a worse time either (although this is not the fault of the researchers) - in recent months, the company has been feeling increasing pressure from AMD, giving up the field in subsequent segments of the market.
- Intel - official website