New Intel MDS Vulnerabilities Allow Sensitive Data to Be Accessed from CPUs

Four Microarchitectural Data Sampling (MDS) vulnerabilities have been discovered in Intel processers which could be exploited using a variety of different attack methods to gain access to sensitive information.

The flaws can be exploited on computers as well as in cloud environments and can allow information to be obtained from the operating system, applications, virtual machines, and trusted execution environments. The information that can be leaked includes browser histories, passwords, website content, and disk encryption keys. While the flaws can be exploited through malware that has been downloaded onto a targeted device, attacks over the Internet are also possible.

The flaws have been assigned the CVE numbers: CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, and CVE-2018-12130. The attack methods that can be used to exploit the vulnerabilities have been named ZombieLoad, Rogue In-Flight Data Load (RIDL), Fallout, and Store-to-Leak Forwarding.

Several security researchers identified the vulnerabilities while investigating side-channel vulnerabilities such as Meltdown and Spectre. The new flaws represent a new class of vulnerabilities that are present in a different area of the CPU to Spectre and Meltdown. The vulnerabilities were disclosed to Intel, which was given time to issue firmware upgrades to address the flaws prior to the disclosure. Intel said it was aware of the flaws and its own researchers had previously identified the vulnerabilities.

The flaws concern the interception of data in transit rather than data at rest, as was the case with Spectre and Meltdown.  With both of those vulnerabilities, stored data could be obtained from the cache where it waits ready to be called. The latest vulnerabilities affect data in the buffer, which is an area of the CPU where operations are executed in transit.

Data in the buffer should not be able to be intercepted by users except in very specific circumstances, but by making certain calls, it is possible to gain access to data in the buffer and bypass security layers. This is particularly serious in multi-tenant environments in the cloud, as it is possible for software running in one user’s environment to intercept data in the buffer in another user’s environment, which should not be possible.

Fortunately, exploiting the four vulnerabilities is a complex process and would likely be beyond the capabilities of most malware developers, according to Intel. While typical hackers and malware developers may struggle to exploit the vulnerabilities, highly skilled and well-financed threat actors such as nation state-backed hacking groups may have greater success and could use the vulnerabilities to attack high value targets that use multi-tenant cloud environments and virtualized server data centers.

Intel has now corrected the vulnerabilities in all new CPU manufactured from April and several software vendors – including Microsoft, Apple, and Linux – have released micropatches to correct the flaws in their latest round of updates. AWS is protected against attacks, IBM is rolling out patches, and Google has corrected the flaws in G Suite and the Google Cloud Platform, although some users may need to take action to prevent exploitation of the flaws. Other companies are in the process of correcting the vulnerabilities.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of