All Intel chips since 2011 vulnerable to new ZombieLoad attack
15 May 2019 |
All Intel chips dating back to 2011 are vulnerable to a group of bugs known as ZombieLoad that causes Intel processors to leak sensitive data including passwords, private keys, and private messages.
The presence of ZombieLoad was first observed by a group of security researchers at Graz University of Technology and imec-DistriNet, KU Leuven who noted that the attack involved four bugs exploiting the fill buffers in Intel chips to get hold of secrets currently processed by other running programmes.
Information obtained using ZombieLoad may include browser history, website content, user keys, passwords, and disk encryption keys. While AMD and ARM chips do not contain these bugs, all desktops, laptops and cloud computers containing Intel processors dating back to 2011 are succeptible to data leaks because of the presence of the four bugs.
According to security researchers at Cyberus Technology and Graz University of Technology, ZombieLoad comes under the category of data-sampling attacks that involve attackers running unprivileged code on devices with Intel CPUs and stealing data from other programmes running on the same device such as other applications, secure enclaves, VMs, or the operating system kernel.
Basically, ZombieLoad is a transient-execution attack that "observes the values of memory loads on the current physical core from a sibling thread. It exploits that the memory subsystem is shared among the logical cores of a physical core," the researchers said in a blog post.
Even though an attacker does not have direct control over data processed by the physical CPU core, since the core is loading data from kernel space or other applications or from outside the VM, the attacker can sample data used by other processes and applications and leaked by the CPU core.
While a lot of leaked data may not interest attackers as they may originate from irrelevant processes, deploying ZombieLoad can still be fruitful for attackers if they get access to data used by vital applications such as password managers or browsers. Attackers can also go through sections of the shared AES encryption/decryption routines out of the cache to gain access to encrypted AES keys.
"This vulnerability represents a scary reality that’s actually been around for a quite a while – attackers exploiting the identities of machines to obtain sensitive data. Things like code signing keys, TLS digital certificates, SSH keys are all incredibly valuable targets, and chip vulnerabilities like this make it possible for hackers to steal these critical security assets when running on nearby cloud and virtual machines," says Kevin Bocek, VP of Security Strategy & Threat Intelligence at Venafi.
"Security teams need to accept that they won’t be able to avoid vulnerabilities like ZombieLoad; instead they need to focus on protecting the keys and certificates attackers are targeting. Properly responding to a chip vulnerability requires complete visibility of where all keys and certificates are located, intelligence on how they are being used and the automation to replace them in seconds, not days or weeks.
"Security professionals should consider vulnerabilities like ZombieLoad a dress rehearsal for the day quantum computing breaks all machine identities," he adds.
Latest posts by Jay Jay (see all)
- Lancaster University hit by phishing attack; student records compromised - 23rd July 2019
- Equifax to pay up to £561m to settle multiple data breach complaints - 22nd July 2019
- Met Police suspends Twitter account after its news platform got hijacked - 22nd July 2019
- Privacy concerns dominate as FaceApp crosses 100 million installations - 19th July 2019
- London-based real estate agency fined £80,000 by ICO - 19th July 2019