Intel MDS Vulnerabilities: What to do?
Blog post 17 May 2019 by Ralph Moonen, Technical Director at Secura
It’s happening again…. It is busy week with the MDS attack, the 0-day in WhatsApp, a remote pre-auth critical vulnerability in MS Remote Desktop Protocol, dozens of critical vulnerabilities in Adobe products, a new 0-day in the Linux kernel and a critical vulnerability in Cisco products. In this blogpost you will find some details about these critical vulnerabilities and some concrete advice for several of them.
In a previous blogpost on the Meltdown and Spectre vulnerabilities (see https://www.secura.com/blog-meltdown-spectre-thechinasyndromerevisited) we predicted that there would probably be more sidechannel attacks against CPU architectures with speculative execution. The revelations from last Monday, 13 May 2019, show that indeed there are new vulnerabilities that have been discovered and collectively dubbed MDS attacks (Microarchitectural Data Sampling). Discovered more or less by accident, they were further investigated by a number of institutions like the Austrian university TU Graz and Vrije Universiteit Amsterdam amongst others 1. Virtually all Intel CPU’s from 2008 to 2019 appear to be vulnerable.
It is therefore extremely important to update OS’s and BIOS’s (when relevant) as soon as possible, and to ask your cloud or virtualization provider what they have done to mitigate this risk. However, other products that also need patching such as VMware, Parallels and Virtualbox did not yet have a patch available at the time of writing this blogpost. So you need to look out for these patches in the upcoming days and weeks. Unfortunately, every server, PC and laptop manufacturer will have a different procedure for this, so there is going to be a huge effort required in order to fix this. It is therefore likely that we will be seeing this vulnerability unpatched for months to come.
That's not all!
On the same day, we were also presented an 0-day in WhatsApp, dozens of critical vulnerabilities in Adobe products, a new 0-day in the Linux kernel and a critical vulnerability in Cisco products. And that was just on one Monday….
It is very understandable if you are unsure about the impact of these vulnerabilities, or have doubts about which systems to patch first. To provide some guidance, here are some criteria for making decisions:
- Any Intel-based system from after 2008 that is directly connected to the internet, needs patching immediately.
- Any Intel-based multi-tenant environment with CPU’s from after 2008, needs patching immediately.
- Any Intel-based laptop or PC from after 2008 that accesses the internet (with a browser or otherwise) needs patching immediately. This includes remote desktop clusters.
- Any Intel-based server or PC from after 2008 that is in a DMZ or server segment or accessible internally (but not directly over internet), should be patched soon.
- Thin clients are probably OK for another while.
- As for legacy systems: they should be evaluated on a case-by-case basis.
We cannot indicate what ‘soon’ or ‘a while’ is, though, but generally that would be based on the business-criticality of the system. And as always, when in doubt, please don’t hesitate to contact Secura for trusted advice and security expertise.
1. Others include: the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany, and security firms Cyberus, BitDefender, Qihoo360, and Oracle