Intel CPUs Since Haswell Vulnerable to "Zombieload v2" Attacks, "Cascade Lake" Included

[londiste]

That very flaw Intel fixes (hopefully complete) now again is that very security flaw Intel said they got fixed/repaired already 6 months ago. Except that they didn't back then – but lied (sic!) about in doing so instead, despite they knew better. So if anyone may wonder who may have been come up with it, it was some university some people may remember now …

We disclosed Variant 2 to Intel on April 23th, 2019, and communicated that the attacks work on Cascade Lake CPUs on May 10th, 2019. On May 12th, 2019, the variant has been put under embargo and, thus, has not been published with the previous version of our ZombieLoad attack on May 14th, 2019.

This is part of normal vulnerability disclosure process.

Yeah, like many say since a while and like we all should know by now, the very day Meltdown & Spectre went public, Intel reflexively engaged into another (st)age of their infamous mode ›Cover-up‹. It seems to be some age of fraud actually.

I mean, if you consider how long they have had been informed about the issues back in the middle of 2017 well in advance before anyone else and how little they did. They kept shut about everything – and most likely they would've liked to keep everything under the rug. It's just that the Linux kernel-developer went public on January '18 as they got so darn fed up on how Intel handled all this that those leaked those anyway – after over half a year Intel did exactly no·thing, not even informing OEMs.

Funny enough, the Linux kernel-developer even vastly helped Intel to such an extent getting rid of those flaws without ANYONE noticing, that only a handful of kernel-developers (and only the most trusted ones) brought in given kernel-patches silently with·out ANY info on what exactly they were doing on it just around Christmas in 2017 (so when everyone is with their family and no-one would hopefully get notice of it) – which is a stark and the utmost extreme novum never happening before in the rather transparent open-source community. That being said, it escalated as Intel demanded more and more from them effectively doing their work hiding dirty laundry until it blew out publicly as even those few involved got just sick to the back teeth on how Intel was handling it.

Everyone involved was informed of the issues back in June 2017. This includes at least Intel, AMD, ARM, IBM, Microsoft, Apple and some other hardware or software vendors. Responsible disclosure process is pretty standard and for this type of products and complex issues time frames of 3-6 months between reporting the vulnerability to vendor and making it public are fairly common.

Spectre and Meltdown were intended to be made public in early January 2018 - 8th, if I remember correctly - alongside mitigation patches from vendors. Since Linux kernel development is open, it got patches in late December (later than other OS vendors, probably for the exact reason of what actually happened). There was discussion, suspicions and people quickly deduced what these patches were about or close enough, prompting earlier-than-planned publication of Spectre and Meltdown.

That's just since they constantly backing up themselves by buying their own stocks en masse.
...
So they're actively using their own stock's sudden fall in prices after quarter-results going public to buy their own fallen stocks in large numbers. If that isn't already sketchy, I don't know what it is …

Depends on whether Intel really thinks what they are saying publicly? They always twist the meaning for publicity purposes but are otherwise fairly straightforward about what they are doing. Nothing has been said about stock buyback but Intel CFO did say they "expect to have heightened competition over the next 18 to 24 months" (read: they are screwed). If a company has cash at hand this sounds like a perfect time to do stock buybacks. Especially if they intend to achieve a comeback after that.

 

[Neverdie]

New week, new intel vulnerability. Intel, we are dirty!

 

[er557]

Welcom to tpu, @Neverdie , and nice nick, it represents a goal of mine...

 

[Dave65]

Typical of Intel CPU's.. I am sure they will learn from their mistakes:/

 

[biffzinker]

Intel claims they will be addressing 67 out of 77 security vulnerabilities found internally by Intel, and are part of the Intel Platform Update (IPU) process.

In the table, updates are ordered from highest overall severity rating to lowest to give you a sense of how to prioritize deployment.

Intel will be addressing 77 security vulnerabilities this month

Followed by the news of the Zombieload v2 attack news today, Intel yesterday posted a security blog, in which they state to close 77 vulnerabilities in November....

www.guru3d.com

 

[Camm]

IMO, you would be crazy to buy an Intel CPU until their new architecture comes out around 2022.

 

[InVasMani]

Add in all of the other various mitigations and patches and that number you quoted is much higher. I really have to wonder how much slower these chips are in actual real-world numbers with all of these mitigations in place.

It comes from the idea that with every single mitigation we have to implement its resulted in a loss of performance. Why is that? Is it perhaps because the chip wasn't doing something it should have been doing in the first place but was ignoring it for the sake of performance? We'll never know for sure. It's a conspiracy.

I was exaggerating heavily poking fun of Intel that by the time all of these "glued together" vulnerability fixes get done with and added up you'd end up with a CPU that's about 4% as capable as it was originally sold and marketed as to consumers.

 

[_UV_]

I'am more and more starting to think all of this discovers here to help Intel gain more sells on newer "even more secure" products and force customers to phase out old still capable hardware faster. They don't care much about Westmere and Sandy, but Haswell and it's derivatives are still strong.

 

[zlobby]

When will intel learn?

They will TRULLY learn only when consumers and businesses start using ther brains instead of their wallets, i.e. not any time soon.

But your question runs deeper - when will people learn? With the root-of-trust laying solely in intel's hands (or any other manufactirer for that matter) there would be no such thing as true security. We need a paradigm shift.

 

[R-T-B]

Who comes up with these mainstream gaming nomenclature.

The researchers, usually. NetCat in particulat is most likely a reference to the unix cat command, used to dump file contents.

 

[mtcn77]

I'am more and more starting to think all of this discovers here to help Intel gain more sells on newer "even more secure" products and force customers to phase out old still capable hardware faster. They don't care much about Westmere and Sandy, but Haswell and it's derivatives are still strong.

Definitely, there is a cultural appropriation going on.

The researchers, usually. NetCat in particulat is most likely a reference to the unix cat command, used to dump file contents.

Fine. But, Zombieload? Anybody remember the time Intel marketed Plants vs Zombies and made fun of F1 simulators?

 

[R-T-B]

What can they even do, it's becoming more and more evident that they simply had no security considerations whatsoever all these years when all of these things have been implemented.

Nearly no design from the era Skylake comes from does. They are all rooted in the same design era paradighms of being able to run "trusted code."

AMDs Ryzen has a lot of those designs too, but is largely understudied. Still, being newer, it's not surprising it's doing better and only has Spectrev2 so far

Everyone really needs to start at the drawing board, but understandably, no one wants to, especially if it will just perform worse.

Fine. But, Zombieload?

Also the researchers proposed name, as the MDS vulnerability whitepaper states.

I really don't think Intel is trying to make these sound non-nefarious with names like "ZombieLoad"

 

[mtcn77]

I really don't think Intel is trying to make these sound non-nefarious with names like "ZombieLoad"

They have a new department just for these kinds of things, you know. It is called Product Assurance and Security Group. What better way to sell an idea making it sound like a standalone product.

 

[R-T-B]

They have a new department just for these kinds of things, you know. It is called Product Assurance and Security Group. What better way to sell an idea making it sound like a standalone product.

It sounds like marketing. Yeah, that happens. These names were still researcher chosen, that tends to be the case and yes, the researchers like attention thus they get sensational names.

 

[biffzinker]

AMDs Ryzen has a lot of those designs too, but is largely understudied.

Your forgetting AMD has stated a couple of times when questioned if Ryzen was effected by they same Intel exploits that AMD didn't shortcut security for performance. Meltdown,
Foreshadow

https://www.amd.com/en/corporate/product-security#Current-Security-Updates

 

[R-T-B]

Your forgetting AMD has stated a couple of times when questioned if Ryzen was effected by they same Intel exploits that AMD didn't shortcut security for performance.

I don't buy into the idea any of these were "shortcuts"

Skylake at it's core is a very tuned Sandy Bridge style design. These types of cores were born in an era where everyone was doing things this way. It wasn't a "shortcut," it was a design assumption that you could trust your code.

It gave us such things as speculative execution, which AMD also utilizes but aparently has done some level of tweaking to harden.

There is a reason meltdown also affected old arm chips, you know. But at least arm got off it's butt and introduced arm64.

 

[mtcn77]

I don't buy into the idea any of these were "shortcuts"

Skylake at it's core is a very tuned Sandy Bridge core. These types of cores were born in an era where everyone was doing things this way.

There is a reason meltdown also affected old arm chips, you know. But at least arm got off it's butt and introduced arm64.

You have it mistaken though - this isn't about the cores, rather that the address generator is affected. In essence, a seperate core that has been discreetly positioned outside of successive hardware generations. They'll need a completely new memory bus to move ahead. AMD is the better memory expert. We'll see how easily Intel deals with a major interference anyway, so don't take my word for it.

 

[R0H1T]

These names were still researcher chosen, that tends to be the case and yes, the researchers like attention thus they get sensational names.

Or you know they were fans of Resident evil, TWD et al? I feel TV doesn't get the kind of recognition it deserves in the tech industry, not just this per se but lots of innovations in tech have been "telecast" on TV first.

 

[GreiverBlade]

New vulnerability for Intel CPUs? So what? Intel is throwing $$$$$ all over the Internet to inform us that their 6 core i5 dropped under $200(there are a number of articles all over the internet from multiple sites with almost identical title, informing about that). We should focus on that people, not that intel's CPUs are like swiss cheese.

Cascade Lake, brought to you by the makers of Swiss(?) Cheese - soon to be seen in a Microcenter near you

good job putting a (?) .... because that expression is idiotic (but well in place thanks to ignorance), since between 2 Gruyere cheese, since initially the expression is about Gruyere cheese, the one that has the most hole in it is usually the fake French one lacking A.O.P and also lacking in taste.
rarely any hole in a Swiss cheese.... we do not cheap out on the total mass!

other than that, about the news .... "ohhhhh looook... i didn't expect that at all!" (sarcasme ofc) is the effect
funny in the end that anything that gave Intel an edge is turning out to be a vulnerability ....

oh, well... that comfort me in thinking a R5 3600/3600X or R7 3700/3700X are more desirable than a 9900KS

 

[jgraham11]

The question that always comes to mind for me: Are AMD processors really any more secure, or are we just not aware of their vulnerabilities because they're under substantially less scrutiny, and much less testing is geared towards them?

Well, do you remember CTS Labs, a security firm from Israel that Intel "allegedly" paid hundreds of thousands if not millions to discover bugs in AMD systems. The only thing they came up with, (other than catchy names for the bugs, ei. RyzenFall) was a few really hard to implement, must have physical access to the computer type bugs, some of those chipset bugs also existed in Intel systems but Intel was not mentioned. Hardly compares to being hacked by visiting a website like with most Intel CPU bugs.

If there were any actual bugs, believe it that Intel would make us aware of it, it would be on the news, on the radio warning people about it. Doesn't it seem weird that all these Intel CPU bugs haven't made the main stream media: news, radio, TV, etc.... Intel has even come out and said to disable Hyper-Threading in all but their latest CPUs, shouldn't the general public know about this??

 

[cucker tarlson]

I measured 13% performance penalty in CPU bound gaming scenarios between Spectre/meltdown fixes on vs off.There's a big performance penalty on random write speed on my ssds too.Definitely have them disabled on broadwell cpus,dont know about others.

 

[Deleted member 158293]

Intel servers have been a hacker's dream for quite a while now...

 

[lexluthermiester]

Having read the whitepaper pdf, in section 4 the required parameters of an attack vector once again require physical access to the target machine and being logged into an admin account(Windows or Linux). Remote attacks can not work. Once again, for the vast majority of average users, this is much ado about nothing...

 

[Solaris17]

Intel servers have been a hacker's dream for quite a while now...

Oh? you know that how? You are aware that the vast majority of servers are currently running on Intel right? Can you produce some white papers on the intrusions into hyper visors these have provided?

Its just you know, I know that alot of these cloud providers run on clusters and these nodes carry the weight of VMs with tasks being distributed to them. So while its super cool that a mere 48 bits of memory of god knows what can in a lab be gleaned from a VMs memory address space via the host. Iv yet to see anyone perform the experiment on other hypervisors or in the type of environment most of these large services run in.

I'll standby. Thank you.

 

[R-T-B]

Oh? you know that how? You are aware that the vast majority of servers are currently running on Intel right? Can you produce some white papers on the intrusions into hyper visors these have provided?

Its just you know, I know that alot of these cloud providers run on clusters and these nodes carry the weight of VMs with tasks being distributed to them. So while its super cool that a mere 48 bits of memory of god knows what can in a lab be gleaned from a VMs memory address space via the host. Iv yet to see anyone perform the experiment on other hypervisors or in the type of environment most of these large services run in.

I'll standby. Thank you.

Why am I attributed to this?

No, they haven't, btw.

Having read the whitepaper pdf, in section 4 the required parameters of an attack vector once again require physical access to the target machine and being logged into an admin account(Windows or Linux). Remote attacks can not work. Once again, for the vast majority of average users, this is much ado about nothing...

Physical access is not needed. Admin is. Remote or not is irrelevant.

This may be not much, but again, another tool for the malware toolbox.