All Intel chips since 2011 vulnerable to new ZombieLoad attack
15 May 2019
All Intel chips dating back to 2011 are vulnerable to a group of bugs known as ZombieLoad that causes Intel processors to leak sensitive data including passwords, private keys, and private messages.
The presence of ZombieLoad was first observed by a group of security researchers at Graz University of Technology and imec-DistriNet, KU Leuven who noted that the attack involved four bugs exploiting the fill buffers in Intel chips to get hold of secrets currently processed by other running programmes.
Information obtained using ZombieLoad may include browser history, website content, user keys, passwords, and disk encryption keys. While AMD and ARM chips do not contain these bugs, all desktops, laptops and cloud computers containing Intel processors dating back to 2011 are succeptible to data leaks because of the presence of the four bugs.
According to security researchers at Cyberus Technology and Graz University of Technology, ZombieLoad comes under the category of data-sampling attacks that involve attackers running unprivileged code on devices with Intel CPUs and stealing data from other programmes running on the same device such as other applications, secure enclaves, VMs, or the operating system kernel.
Basically, ZombieLoad is a transient-execution attack that “observes the values of memory loads on the current physical core from a sibling thread. It exploits that the memory subsystem is shared among the logical cores of a physical core,” the researchers said in a blog post.
Even though an attacker does not have direct control over data processed by the physical CPU core, since the core is loading data from kernel space or other applications or from outside the VM, the attacker can sample data used by other processes and applications and leaked by the CPU core.
While a lot of leaked data may not interest attackers as they may originate from irrelevant processes, deploying ZombieLoad can still be fruitful for attackers if they get access to data used by vital applications such as password managers or browsers. Attackers can also go through sections of the shared AES encryption/decryption routines out of the cache to gain access to encrypted AES keys.
“This vulnerability represents a scary reality that’s actually been around for a quite a while – attackers exploiting the identities of machines to obtain sensitive data. Things like code signing keys, TLS digital certificates, SSH keys are all incredibly valuable targets, and chip vulnerabilities like this make it possible for hackers to steal these critical security assets when running on nearby cloud and virtual machines,” says Kevin Bocek, VP of Security Strategy & Threat Intelligence at Venafi.
“Security teams need to accept that they won’t be able to avoid vulnerabilities like ZombieLoad; instead they need to focus on protecting the keys and certificates attackers are targeting. Properly responding to a chip vulnerability requires complete visibility of where all keys and certificates are located, intelligence on how they are being used and the automation to replace them in seconds, not days or weeks.
“Security professionals should consider vulnerabilities like ZombieLoad a dress rehearsal for the day quantum computing breaks all machine identities,” he adds.