SPOT Report - ZombieLoad

By

Overview

A group of security researchers have recently announced another side-channel attack on Intel processors that fall into the same classification as Meltdown and Spectre, which were released in 2018. The new attack has been named “ZombieLoad” and is a side-channel attack on Intel processors released since 2011. ZombieLoad allows an individual to obtain sensitive data and keys by utilizing a design flaw rather than an exploit to inject malicious code.

The exploit code has not been publicly released as of yet and is still in its infancy. At this time we do not know if this exploit code is being used due to the lack of proof that the attack leaves behind.

Potential Impact

The impact is for all system that utilize Intel processors dating back to chips from 2011 and can impact cloud systems since virtual machines share physical hardware. Additionally multiple other systems should be considered vulnerable including all versions of operating systems, all hypervisors, all container solutions, and any code that uses SGX enclaves that are being used to protect critical data.

ZombieLoad attack is considered easier to exploit then Spectre, but harder to exploit than Meltdown vulnerabilities. For the attack to be successful the attacker has to be able to run code on the machine.

Mitigation

Currently it is recommended to patch all systems and products that have patches available, including but not limited to those from Apple, Amazon, Google, Microsoft, and Mozilla. In most cases, though, this may not be enough and it should be evaluated whether an organization is able to restrict only trusted applications running on a machine or to turn off SMT (Simultaneous MultiThreading, aka Hyperthreads). Putting the patches into place may cause some systems to slow down, but most of the time it is not noticeable.

Detection

Tenable Plugins have been released, please see link below for the list. Qualys has released two QIDs for Amazon Linux: 35169 and 35170. At present both checks require authentication.

Here is a link for the 26 Tenable plugin ID:

https://www.tenable.com/plugins/search?q=%22CVE-2018-12130%22%20AND%20cves%3A(%22CVE-2018-12130%22)&sort=&page=1

If you are Vulnerability Management customer with deepwatch, your vulnerability management SME will communicate with you in regards to which assets are considered vulnerable to you in your environment.

Managing Risk

All organizations should weigh the risk of what mitigations can be put in place and take into consideration where the assets are, making laptops and desktops a priority along with cloud devices in order to assist in mitigating ZombieLoad.

It should also be taken into consideration that there are no actively known attacks on this vulnerability, but there is an active Proof-of-Concept (POC) that was released by the founders of the ZombieLoad.

Contributors

Samuel Harris – Vulnerability Management Practice Lead
Dave Farquhar – Vulnerability Management Subject Matter Expert
Kate Boucher – Vulnerability Management Subject Matter Expert
Jen O’Neil – Vulnerability Management Subject Matter Expert

Supporting Information

Subscribe to the deepwatch Insider Blog