Intel MDS Vulnerabilities: What to do?

Blog post 17 May 2019 by Ralph Moonen, Technical Director at Secura

It’s happening again…. It is busy week with the MDS attack, the 0-day in WhatsApp, a remote pre-auth critical vulnerability in MS Remote Desktop Protocol, dozens of critical vulnerabilities in Adobe products, a new 0-day in the Linux kernel and a critical vulnerability in Cisco products. In this blogpost you will find some details about these critical vulnerabilities and some concrete advice for several of them.  

If you have not seen your IT people putting out emergency patches in your infrastructure or requiring you to check or update your laptop BIOS’s, you probably are still vulnerable (unless you use only ARM or AMD CPU’s everywhere which is very unlikely). Also , Windows, Whatsapp and Adobe updates are a must.

In a previous blogpost on the Meltdown and Spectre vulnerabilities (see https://www.secura.com/blog-meltdown-spectre-thechinasyndromerevisited) we predicted that there would probably be more sidechannel attacks against CPU architectures with speculative execution. The revelations from last Monday, 13 May 2019, show that indeed there are new vulnerabilities that have been discovered and collectively dubbed MDS attacks (Microarchitectural Data Sampling). Discovered more or less by accident, they were further investigated by a number of institutions like the Austrian university TU Graz and Vrije Universiteit Amsterdam amongst others 1. Virtually all Intel CPU’s from 2008 to 2019 appear to be vulnerable.

One of the vulnerabilities in particular, dubbed RIDL (Rogue In-Flight Data Load), is very powerful. It can read secrets from memory (such as encryption keys and passwords). All it needs to do that is a lot of time (many hours) and a way to execute code on a CPU. This might seem very restrictive, since you already need to be able to execute code on the CPU, but that is actually not an important restriction at all. Remember: every time you visit a website, code that is potentially under attacker control (Javascript) is executed on your CPU. It is therefore quite likely that exploit code for RIDL in Javascript will pop up in the wild soon. And of course in multi-tenant Cloud and virtualization environments, it is equally relevant. For all technical details, please visit https://mdsattacks.com/.

It is therefore extremely important to update OS’s and BIOS’s (when relevant) as soon as possible, and to ask your cloud or virtualization provider what they have done to mitigate this risk. However, other products that also need patching such as VMware, Parallels and Virtualbox did not yet have a patch available at the time of writing this blogpost. So you need to look out for these patches in the upcoming days and weeks. Unfortunately, every server, PC and laptop manufacturer will have a different procedure for this, so there is going to be a huge effort required in order to fix this. It is therefore likely that we will be seeing this vulnerability unpatched for months to come.

That's not all!
On the same day, we were also presented an 0-day in WhatsApp, dozens of critical vulnerabilities in Adobe products, a new 0-day in the Linux kernel and a critical vulnerability in Cisco products. And that was just on one Monday….  

It is very understandable if you are unsure about the impact of these vulnerabilities, or have doubts about which systems to patch first. To provide some guidance, here are some criteria for making decisions:

  1. Any Intel-based system from after 2008 that is directly connected to the internet, needs patching immediately.
  2. Any Intel-based multi-tenant environment with CPU’s from after 2008, needs patching immediately.
  3. Any Intel-based laptop or PC from after 2008 that accesses the internet (with a browser or otherwise) needs patching immediately. This includes remote desktop clusters.
  4. Any Intel-based server or PC from after 2008  that is in a DMZ or server segment or accessible internally (but not directly over internet), should be patched soon. 
  5. Thin clients are probably OK for another while.
  6. As for legacy systems: they should be evaluated on a case-by-case basis.

We cannot indicate what ‘soon’ or ‘a while’ is, though, but generally that would be based on the business-criticality of the system. And as always, when in doubt, please don’t hesitate to contact Secura for trusted advice and security expertise.

1. Others include: the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany, and security firms Cyberus, BitDefender, Qihoo360, and Oracle

@ Secura 2019
Webdesign Studio HB / webdevelopment Medusa