Language Selection

English French German Italian Portuguese Spanish

Security: Updates, MDS, WhatsApp and 'The Cloud'

Filed under
Security
  • Security updates for Tuesday
  • Understanding the MDS vulnerability: What it is, why it works and how to mitigate it

    MDS vulnerabilities explained in ~three minutes

  • A deeper look at the MDS vulnerability

    In our last post, Jon Masters offered an overview of the MDS vulnerability. In this video, Jon provides a ddeper technical explanation of the vulnerability.

  • SUSE addresses Microarchitectural Data Sampling Vulnerabilities

    Researchers have identified new CPU side channel information leak attacks against various microarchitectural buffers used in Intel CPUs. These attacks allows local attackers to execute code to read out portions of recently read or written data by using speculative execution. Local attackers can be on the same OS or running code on the same thread of a CPU core, which could happen for other VMs on the same physical host.
    Intel, together with hardware and operating system vendors, have worked over recent months to prepare mitigations for these vulnerabilities, also known as RIDL, Fallout and ZombieLoadAttack.

  • MDS: The Newest Speculative Execution Side-Channel Vulnerability [Ed: Faked performance means no security and since there are no rules associated with this, there will be no multi-billion-dollar fines, no mass recalls etc. What an awful industry.]

    Intel just disclosed a new speculative execution side-channel vulnerability in its processors similar to the existing Spectre/L1TF vulnerabilities. This new disclosure is called the Microarchitectural Data Sampling (MDS).

    The Microarchitectural Data Sampling vulnerability was discovered by Intel researchers and independently reported as well by external researchers and is said to be similar to existing speculative execution side channel vulnerabilities. Fortunately, some current-generation CPUs are not vulnerable and Intel says all new processors moving forward will be mitigated. For those processors affected, microcode/software updates are said to be coming.

  • Update WhatsApp now to avoid spyware installation from a single missed call
  • Update WhatsApp Now, Adobe Warning Creative Cloud Users with Older Apps, Kernels Older than 5.0.8 Are Vulnerable to Remote Code Execution, Schools in Kerala Choose Linux and MakeOpenStuff Is Launching the HestiaPi Touch Smart Thermostat

    A vulnerability in WhatsApp allows spyware to be installed from a single unanswered phone call. The Verge reports that the "spyware, developed by Israel's secretive NSO group, can be installed without trace and without the target answering the call, according to security researchers and confirmed by WhatsApp. Once installed, the spyware can turn on a phone's camera and mic, scan emails and messages, and collect the user's location data. WhatsApp is urging its 1.5 billion global users to update the app immediately to close the security hole."

  • How WhatsApp exposed its users to a spyware attack

    Facebook-owned firm confirms that a vulnerability in WhatsApp opened doors for a spyware attack that installs a malicious code on victim's smartphone...

  • Modern IT security: Sometimes caring is NOT sharing

    The last decade of technological advances has seen a race to reduce costs. Migration to virtualized systems quickly eclipsed traditional bare-metal deployments. At some point, virtualization will be out-paced by containerization. While the physical footprint of an organization’s compute resources may have been reduced, the complexity of managing those environments certainly has not.

    Back in the Stone Age of IT operations and information security, everyone’s attention was focused on the corporate datacenter and the physical machines that lived there. It was simpler to understand where security controls needed to be applied. You had one giant cable coming into the building from "the internet," so you’d throw firewalls, Information Data Leak Prevention/Detection (IDP/IDS), proxies, load balancers and other tools in-line before that channel was split to the larger corporate network. This Castle-and-Moat model of protection worked fairly well (ignoring the insider threat) for decades.

    [...]

    Virtualization evolved into "the cloud". TL/DR for everyone out there: the cloud is just someone else’s computer. You used to run it on your server in your datacenter. Move it "to the cloud" and it now runs on Frank’s Discount Cloud and actually sits in his basement in Peoria, Illinois. Cloud-enabled individuals and businesses to have a low-cost means to quickly deploy systems and applications. It offered benefits around high availability and other features you’d typically see deployed in Enterprise-class organizations. Instead of ordering physical boxes from your favourite retailer or OEM and having that take weeks to be delivered and weeks more to be configured and deployed, now you call up Frank (say "Hi!" to his mom while she’s down in the server room doing Frank’s laundry) and Frank can have you up and running with computing and storage resources in minutes. Cloud lets you "outsource" a lot of technology and skills you might not have in-house (or have any interest in managing yourself).

Latest on MDS

  • "ZombieLoad": a new set of speculative-execution attacks

    The curtain has finally been lifted on the latest set of speculative-execution vulnerabilities. This one has the delightful name of ZombieLoad; it is also known as "microarchitetural data sampling", but what's the fun in that? Various x86 processors stash data into hidden buffers that can, in some cases, be revealed via speculative execution. Exploits appear to be relatively hard.

  • Ubuntu updates to mitigate new Microarchitectural Data Sampling (MDS) vulnerabilities

    Microarchitectural Data Sampling (MDS) describes a group of vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) in various Intel microprocessors, which allow a malicious process to read various information from another process which is executing on the same CPU core. This occurs due to the use of various microarchitectural elements (buffers) within the CPU core. If one process is able to speculatively sample data from these buffers, it can infer their contents and read data belonging to another process since these buffers are not cleared when switching between processes. This includes switching between two different userspace processes, switching between kernel and userspace and switching between the host and a guest when using virtualisation.

    In the case of a single process being scheduled to a single CPU thread, it is relatively simple to mitigate this vulnerability by clearing these buffers when scheduling a new process onto the CPU thread. To achieve this, Intel have released an updated microcode which combined with changes to the Linux kernel ensure these buffers are appropriately cleared.

    Updated versions of the intel-microcode, qemu and linux kernel packages are being published as part of the standard Ubuntu security maintenance of Ubuntu releases 16.04 LTS, 18.04 LTS, 18.10, 19.04 and as part of the extended security maintenance for Ubuntu 14.04 ESM users. As these vulnerabilities affect such a large range of Intel processors (across laptop, desktop and server machines), a large percentage of Ubuntu users are expected to be impacted – users are encouraged to install these updated packages as soon as they become available.

  • A Slew Of Stable Kernel Updates Issued For Addressing MBS / Zombieload Vulnerabilities

    Following today's disclosure of the new MDS vulnerabilities affecting Intel CPUs, a slew of new Linux kernel stable releases have been issued.

    Greg Kroah-Hartman has issued Linux 5.1.2, 5.0.16, 4.19.43, 4.14.119, and 4.9.176 with these now public mitigation patches that pair with Intel's CPU microcode for mitigating this latest set of speculative execution side-channel vulnerabilities.

Insecurity firms spread fear over MDS to sell products/services

  • Linux Kernel Flaw Allows Remote Code-Execution

    The bug is remotely exploitable without authentication or user interaction.

    Millions of Linux systems could be vulnerable to a high-impact race condition flaw in the Linux kernel.

    Kernel versions prior to 5.0.8 are affected by the vulnerability (CVE-2019-11815), which exists in the rds_tcp_kill_sock in net/rds/tcp.c. “There is a race condition leading to a use-after-free [UAF],” according to the CVE description.

The 'insecurity publishers' use scary buzzwords now ("Meltdown")

  • The second Meltdown: New Intel CPU attacks leak secrets

    Over a year ago, the Meltdown and Spectre attacks took the computer industry by storm and showed that the memory isolation between the operating system kernel and unprivileged applications or between different virtual machines running on the same server were not as impervious as previously thought. Those attacks took advantage of a performance enhancing feature of modern CPUs called speculative execution to steal secrets by analyzing how data was being accessed inside CPU caches.

    Since then, the research community found additional "side channel" techniques that could allow attackers to reconstruct secrets without having direct access to them, by analyzing how data passes through the CPU's microarchitectural components during speculative execution.

More on WhatsApp's Flaw

  • On WhatsApp, it may be hackers calling
  • Why it might be time to ditch WhatsApp for Signal or Telegram

    By now you’ve heard the news: WhatsApp is currently rolling out an urgent update to all app users to close a major vulnerability that leaves unpatched phones at risk of being targeted by hackers. WhatsApp is owned by Facebook, and if you plan to stick with the platform, don’t wait for an update notification: access your phone’s app store now to force install the update.

    Except maybe now is the time to go one step further: perhaps it’s the perfect opportunity to switch to a different messaging platform. One that’s not owned by one of the major tech companies, is equally -- if not more -- secure, and which works on more than just your phone. Enter stage left, Telegram, and stage right, Signal.

Linux vs. Zombieload

  • Linux vs. Zombieload

    The researchers have shown a Zombieload exploit that can look over your virtual shoulder to see the websites you're visiting in real-time. Their example showed someone spying on another someone using the privacy-protecting Tor Browser running inside a virtual machine (VM).

    Zombieload's more formal name is "Microarchitectural Data Sampling (MDS)." It's more common name comes from the concept of a "zombie load." This is a quantity of data that a processor can't handle on its own. The chip then asks for help from its microcode to prevent a crash. Normally, applications, virtual machines (VMs), and containers can only see their own data. But the Zombieload vulnerabilities enable an attacker to spy on data across the normal boundaries on all modern Intel processors.

    Unlike the earlier Meltdown and Spectre problems, Intel was given time to ready itself for this problem. Intel has released microcode patches. These help clear the processor's buffers, thus preventing data from being read.

    To defend yourself, your processor must be updated, your operating system must be patched, and for the most protection, Hyper-Threading disabled. When Meltdown and Spectre showed up, the Linux developers were left in the dark and scrambled to patch Linux. This time, they've been kept in the loop.

Canonical Releases Ubuntu Updates to Mitigate New MDS Security

  • Canonical Releases Ubuntu Updates to Mitigate New MDS Security Vulnerabilities

    Four new security vulnerabilities affecting Intel microprocessor have been publicly disclosed earlier, and Intel already released updated microcode firmware to mitigate them, but in the case of Linux-based operating system these flaws cannot be addressed only by updating the CPU firmware, but also by installing new Linux kernel versions and QEMU patches.

    The vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) affect various Intel processors and could allow a local attacker to expose sensitive information. They have an impact on all supported Ubuntu Linux releases, including Ubuntu 19.04 (Disco Dingo), Ubuntu 18.10 (Cosmic Cuttlefish), Ubuntu 18.04 LTS (Bionic Beaver), Ubuntu 16.04 LTS (Xenial Xerus), and Ubuntu 14.04 ESM (Trusty Tahr).

Intel and MDS

  • Intel CPUs impacted by new Zombieload side-channel attack

    Academics have discovered a new class of vulnerabilities in Intel processors that can allow attackers to retrieve data being processed inside a CPU.

    The leading attack in this new vulnerability class is a security flaw named Zombieload, which is another side-channel attack in the same category as Meltdown, Spectre, and Foreshadow.

How Hackers Broke WhatsApp With Just a Phone Call

Cameron Kaiser: ZombieLoad doesn't affect Power Macs

  • Cameron Kaiser: ZombieLoad doesn't affect Power Macs

    The latest in the continued death march of speculative execution attacks is ZombieLoad (see our previous analysis of Spectre and Meltdown on Power Macs). ZombieLoad uses the same types of observable speculation flaws to exfiltrate data but bases it on a new class of Intel-specific side-channel attacks utilizing a technique the investigators termed MDS, or microarchitectural data sampling. While Spectre and Meltdown attack at the cache level, ZombieLoad targets Intel HyperThreading (HT), the company's implementation of symmetric multithreading, by trying to snoop on the processor's line fill buffers (LFBs) used to load the L1 cache itself. In this case, side-channel leakages of data are possible if the malicious process triggers certain specific and ultimately invalid loads from memory -- hence the nickname -- that require microcode assistance from the CPU; these have side-effects on the LFBs which can be observed by methods similar to Spectre by other processes sharing the same CPU core. (Related attacks against other microarchitectural structures are analogously implemented.)

WhatsApp is not end-to-end because Facebook keeps copy of keys

  • The Ultimate Bad Take: Bloomberg's Leonid Bershidsky Thinks A WhatsApp Vulnerability Proves End To End Encryption Is Useless

    Bloomberg has really been on a roll lately with getting security stories hellishly wrong. Last fall it was its big story claiming that there was a supply chain hack that resulted in hacked SupermMicro chips being used by Amazon and Apple. That story has been almost entirely debunked, though Bloomberg still has not retracted the original. Then, just a few weeks ago, it flubbed another story, claiming that the presence (years ago) of telnet in some Huawei equipment was a nefarious backdoor, rather than a now obsolete but previously fairly common setup for lots of equipment for remote diagnostics and access.

    The latest is an opinion piece, rather than reporting, but it's still really bad. Following yesterday's big revelation that a big security vulnerability was discovered in WhatsApp, opinion columnist Leonid Bersidsky declared it as evidence that end-to-end encryption is pointless.

Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets

  • Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs

    More than a year has passed since security researchers revealed Meltdown and Spectre, a pair of flaws in the deep-seated, arcane features of millions of chip sold by Intel and AMD, putting practically every computer in the world at risk. But even as chipmakers scrambled to fix those flaws, researchers warned that they weren't the end of the story, but the beginning—that they represented a new class of security vulnerability that would no doubt surface again and again. Now, some of those same researchers have uncovered yet another flaw in the deepest guts of Intel's microscopic hardware. This time, it can allow attackers to eavesdrop on virtually every bit of raw data that a victim's processor touches.

    Today Intel and a coordinated supergroup of microarchitecture security researchers are together announcing a new, serious form of hackable vulnerability in Intel's chips. It's four distinct attacks, in fact, though all of them use a similar technique, and all are capable of siphoning a stream of potentially sensitive data from a computer's CPU to an attacker.

    [...]

    AMD and ARM chips don't appear to be vulnerable to the attacks, [...]

Microarchitectural Data Sampling (MDS) focus now on Intel

  • Intel reveals four more Spectre-like bugs in its processors

    Intel has revealed four more vulnerabilities in all its modern processors, all of which could lead to side channel attacks that use speculative execution to leak data.

  • Intel CPU Exploit Zombieload Uses Hyperthreading To Steal Data

    he latest Intel CPU exploit termed Zombieload is a speculative execution side-channel attack. It uses Intel Hyperthreading to execute a Microarchitectural Data Sampling (MDS) attack which targets buffers in CPU microarchitecture.

    According to a report, Intel CPUs made since 2008 are all susceptible to this attack. The latest 8th and 9th gen Intel CPUs are safe from this issue. Intel has released a security patch for this security flaw.

Steinar H. Gunderson: Bug fest

RIP Hyper-Threading?

  • RIP Hyper-Threading? ChromeOS axes key Intel CPU feature over data-leak flaws – Microsoft, Apple suggest snub

    In conjunction with Intel's coordinated disclosure today about a family of security vulnerabilities discovered in millions of its processors, Google has turned off Hyper-Threading in Chrome OS to fully protect its users.

    Meanwhile, Apple, Microsoft, IBM's Red Hat, QubesOS, and Xen advised customers that they may wish to take similar steps.

    The family of flaws are dubbed microarchitecture data sampling (MDS), and Chipzilla's official advisory is here, along with the necessary microcode updates to mitigate the data-leaking vulnerabilities and list of affected products. Installing these fixes and disabling Intel's Hyper-Threading feature is a sure fire way to kill off the bugs, though there may be a performance hit as a result.

Debian Patches New Intel MDS Security Vulnerabilities in Debian

  • Debian Patches New Intel MDS Security Vulnerabilities in Debian Linux Stretch

    On May 14th, Intel disclosed four new security vulnerabilities affecting several of its Intel CPUs, which could allow attackers to leak sensitive information if the system remains unpatched. Intel has worked with major OS vendors and device manufactures to quickly deploy feasible solutions for mitigating these flaws, and now patches are available for users of the Debian GNU/Linux 9 "Stretch" operating system series.

    "Multiple researchers have discovered vulnerabilities in the way the Intel processor designs have implemented speculative forwarding of data filled into temporary microarchitectural structures (buffers). This flaw could allow an attacker controlling an unprivileged process to read sensitive information, including from the kernel and all other processes running on the system or cross guest/host boundaries to read host memory," reads the security advisory.

Now the BSD World

  • The BSDs Get Promptly Mitigated For The MDS Side-Channel Vulnerabilities

    When Spectre and Meltdown came to light, there was some frustrations in the BSD community that it took time for them to be briefed and ultimately handling the mitigations for these CPU security vulnerabilities. Fortunately, with the new Microarchitectural Data Sampling (MDS, also dubbed "Zombieload") vulnerabilities, the key BSDs have seen punctual patches.

    FreeBSD on Tuesday issued a security advisory that does include patches and additional guidance. FreeBSD's guidance is also recommending the disabling of Hyper Threading for systems with users/processors in different trust domains. FreeBSD also provides instructions on setting up the loading of the latest Intel CPU microcode files and applying patches for FreeBSD 12 and 11 series.

Zombieload Intel Vulnerability Explained

  • Zombieload Intel Vulnerability Explained: Nasty Flaw In Millions Of CPUs

    Zombieload is the latest Intel CPU vulnerability to plague everything from desktop computers to enterprise level servers. However, due to the increasingly complex nature of online attacks, it is becoming harder for companies to detect and fix them.

    These fixes are usually half measured at best and cause the processors of enterprises as well as the average user to lose their performance value in the long run or so we’re told. Online attacks like Spectre and Meltdown affect almost everyone that uses a computer. It is a problem which is forcing companies to cut corners, more often than not, in areas concerning performance.

More MDS Media Coverage

СloudLinux, LWN and Red Hat on MDS

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Security Leftovers

  • Security updates for Wednesday
  • Illumos-Powered OmniOS Gets Updated Against MDS / ZombieLoad Vulnerabilities
    While it was just earlier this month that the OpenSolaris/Illumos-based OmniOS saw a big LTS release, it's already been succeeded by a new release given the recent Intel MDS / Zombieload CPU vulnerabilities coming to light. There are new spins of OmniOS for all supported releases. These new OmniOS Community Edition releases mitigate against the Multiarchitectural Data Sampling (MDS) vulnerabilities and also bundle in the updated Intel CPU microcode.
  • Hackers Hack A Forum For Hacked Accounts: Here’s How
    A group of hackers failed to deploy security mechanisms to secure the storage where they store hacked accounts and another hacker group hacked it. The story is indeed funny and real. Infamous forum named OGUSERS which is popular amongst hackers for obtaining “OG” Instagram, Twitter usernames, hacked accounts of Domino’s Pizza, Steam, PlayStation Network, and other online accounts was hacked by a hacker group and its data was published in another hacker forum.
  • Security Announcement: Disabling SMT by default on affected Intel processors
    This is an important announcement with an upcoming change in the next Core Update of IPFire. Because of the recent vulnerabilities in Intel processors, the IPFire team has decided, that - to keep systems as secure as possible - Simultaneous Multi-Processing (SMT) is automatically disabled if the processor is vulnerable to one of the attacks. SMT is also called Intel(R) Hyper-Threading Technology and simulates more virtual cores than the system has. This allows to perform faster processing when applications benefit from it. Unfortunately with networking, we benefit from that. Therefore the effect of disabling SMT will be a very signifiant performance impact of around 30% or more. Applications that will be affected in IPFire are the firewall throughput itself as well as other CPU and memory-bound tasks like the web proxy and the Intrusion Prevention System. On systems that are not vulnerable for this attack, SMT is being left enabled. If you still want to disable it, please do so in the BIOS of your firewall.

Android Leftovers

Red Hat and the rise of RHEL

If the success of the open source company Red Hat can be ascribed to one thing, it's the Enterprise Linux operating system that it releases The company recently unveiled the general release of the latest version, RHEL 8, and it serves as a bellwether for how software development has changed over the years. Developers are now shouldering more operational responsibilities, which is largely due to the rise in the use of containers. This enables teams to use microservices to build applications. With RHEL 8, Red Hat has also placed container tools such as Buildah, Podman and Skopea directly into the operating system. Read more

Red Hat, Fedora and SUSE/OpenStack

  • Rook-Ceph storage Operator now on OperatorHub.io
    We are excited to announce the addition of the Rook-Ceph storage Operator to OperatorHub.io. Operators are design patterns that augment and implement common day one and day two activities with Kubernetes clusters, simplifying application deployments and empowering developers to focus on creation versus remediation. The Rook-Ceph Operator is an upstream effort that Red Hat is leading and is using as part of its work towards Red Hat OpenShift Container Storage 4. Developing and deploying cloud-native applications at scale can be complex and challenging. The new Rook-Ceph storage Operator is designed to automate the packaging, deployment, management, upgrading, and scaling of Ceph clusters that provide persistent storage to stateful applications as well as infrastructure services (logging, metrics, registry) in Kubernetes clusters. The release of Rook’s Ceph Operator augments Kubernetes scheduling with a complement of stateful storage services including block, filesystem and object storage.
  • Red Hat Satellite 6.4.3 has been released
    Red Hat Satellite 6.4.3 is generally available. The main drivers for the 6.4.3 release are a Request for Feature Enhancement (RFE) for capsule syncing control as well as general stability fixes. The capsule syncing control feature enables the user to have control over when capsule syncs occur. Traditionally the capsule sync occurs automatically after a content view is updated, but some customers may want more granular control over when the synchronization occurs. Satellite 6.4.3 introduces a new setting in Administer —> Settings —> Content —> Sync Capsules after Content View promotion.
  • Contributors are Empowered When They Know the Process
    There is a saying in the legal profession that you should never ask a question you don’t already know the answer to. Despite how this sounds, it is actually a rule most people follow in life. This is the source of that feeling you get when you’re too scared to raise your hand and ask a question. In Open Source we need to make sure that contributors feel like they already “know” the answers, so they will feel confident in making the request. As a university lecturer, I always encouraged my students to first think about what they thought the answer was and then ask the question. In some cases, I encouraged them to actually write down what they thought the answer was. In this way, they could judge both their skills and their ability to grow based on what the answer turned out to be. It created an additional feedback loop.
  • Alisha and Shraddha: Positive feedback loops in Fedora
    This post is the second introduction to the Fedora Summer Coding interns Class of Summer 2019. In this interview, we’ll meet Alisha Mohanty and Shraddha Agrawal, who are both working on Fedora Happiness Packets to promote positive feedback loops in the Fedora community.
  • The OpenStack User Survey is now open
    The 2019 OpenStack User Survey is now open and waiting for your input. Whether you’re a user of OpenStack, or an operator utilising it to power your offerings, the OpenStack Foundation (and the rest of the community) want to hear about your usage. 2018 saw the 11th OpenStack User Survey unveiled at the Berlin OpenStack Summit, giving some fantastic insight into how and where people are using OpenStack across 63 different countries. Usage in Asia surged dramatically in 2018, with 48% of respondents based in that continent, with Europe 2nd at 26% and North America 3rd with 20% of respondents.