Microarchitectural Data Sampling (MDS) Vulnerability affects almost all Intel CPUs
The ZombieLoad attack on a system allows stealing sensitive data while the computer accesses these data.
RIDL (Rogue In-Flight Data Load) has shown that attackers can exploit MDS vulnerabilities to mount practical attacks and leak sensitive data in a real-world setup.
Fallout demonstrates that attackers can leak data from Store Buffers, which are used every time a CPU pipeline needs to store any data. Making things worse, an unprivileged attacker can then later pick which data they leak from the CPU’s Store Buffer.
While programs normally only see their own data, a malicious program can exploit the fill buffers to get hold of data currently processed by other running programs. These may include user-level secrets, such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys.
The attack does not only work on personal computers but can also be exploited in the cloud. Make sure to get the latest updates for your operating system!
These vulnerabilities are design flaws that reveal data to bad actors who significantly affect your system.
How to mitigate the MDS/Zombieload Vulnerability
a) If you are running on hardware
To mitigate this vulnerability, you will need to take 3 steps that require no reboot if you follow the instructions below:
Step 1: Update Microcode without a reboot
Microcode is the code that runs inside the CPU itself and is handled by Intel. The microcode update is usually done on reboot: you get the new kernel, which will have new microcode and when the kernel boots it will install new microcode into the CPU.
Step 2: Disable Hyperthreading without a reboot
If you don’t disable the CPU simultaneous multithreading (SMT) – you will still have an issue, in that the attacker can read the data of the same CPU.
Step 3: Apply KernelCare patches
Even if you have done steps 1 and 2, you must still update the Linux Kernel to ensure that the local user can not read the data you are running on the CPU.
KernelCare can actually enable you to perform the above steps without rebooting.
b). If you are running on a Virtual Machine
You only need to patch the Linux Kernel inside the VM. Make sure that your host node is updated as well, which is typically done by your service provider.
If you are using your KernelCare – your patches will be delivered automatically by KernelCare and you don’t need to do anything extra.