This is a new attack allowing encryption keys and other sensitive info to be stolen by another process running on the same processor. Apparently there is a microcode update available from Intel. I...
This is a new attack allowing encryption keys and other sensitive info to be stolen by another process running on the same processor. Apparently there is a microcode update available from Intel.
I don’t envy them as this is just brutal. Affects a ton of Intel cpus, pain in the as to detect, has a patch that might butcher performance. Ugh. And it’s a major compromise
I don’t envy them as this is just brutal. Affects a ton of Intel cpus, pain in the as to detect, has a patch that might butcher performance. Ugh.
Between this and zenbleed, it seems like this sort of “leaked data between processes on the same core” vulnerability is picking up steam. Wonder if were going to see a whole class of them like Spectre
Between this and zenbleed, it seems like this sort of “leaked data between processes on the same core” vulnerability is picking up steam. Wonder if were going to see a whole class of them like Spectre
we already have - this wiki article has a table. you can see the year as part of the assigned CVE number, there was a flurry of them back in 2017/2018, and then a relatively quiet period, and...
Wonder if were going to see a whole class of them like Spectre
we already have - this wiki article has a table. you can see the year as part of the assigned CVE number, there was a flurry of them back in 2017/2018, and then a relatively quiet period, and activity on them seems to be picking back up recently.
there's been enough of them that lscpu on a Linux box will print out the vulnerabilities it knows about and whether there are any mitigations in place.
from one of my laptops, for example, a Core i5-7200U which is from 2016 and so seems to require mitigations for a whole raft of them:
Vulnerabilities:
Itlb multihit: KVM: Mitigation: VMX disabled
L1tf: Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
Mds: Mitigation; Clear CPU buffers; SMT vulnerable
Meltdown: Mitigation; PTI
Mmio stale data: Mitigation; Clear CPU buffers; SMT vulnerable
Retbleed: Mitigation; IBRS
Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl
Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Spectre v2: Mitigation; IBRS, IBPB conditional, STIBP conditional, RSB filling, PBRSB-eIBRS Not affected
Srbds: Mitigation; Microcode
Tsx async abort: Not affected
meanwhile, a much newer Ryzen 9 5900X requires mitigations for significantly fewer:
Vulnerabilities:
Itlb multihit: Not affected
L1tf: Not affected
Mds: Not affected
Meltdown: Not affected
Mmio stale data: Not affected
Retbleed: Not affected
Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Spectre v2: Mitigation; Retpolines, IBPB conditional, IBRS_FW, STIBP always-on, RSB filling, PBRSB-eIBRS Not affected
Srbds: Not affected
Tsx async abort: Not affected
Specifically, microcode is a firmware update, but it's a type of firmware that's shipped with the OS and loaded during boot. You don't need to manually update it separately from the OS.
Specifically, microcode is a firmware update, but it's a type of firmware that's shipped with the OS and loaded during boot. You don't need to manually update it separately from the OS.
This is a new attack allowing encryption keys and other sensitive info to be stolen by another process running on the same processor. Apparently there is a microcode update available from Intel.
I expect sysadmins are going to busy for a while?
I don’t envy them as this is just brutal. Affects a ton of Intel cpus, pain in the as to detect, has a patch that might butcher performance. Ugh.
And it’s a major compromise
It's highly unlikely to butcher the performance of any useful applications.
AWS says they're not affected.
I'm not sure about other cloud services.
Between this and zenbleed, it seems like this sort of “leaked data between processes on the same core” vulnerability is picking up steam. Wonder if were going to see a whole class of them like Spectre
we already have - this wiki article has a table. you can see the year as part of the assigned CVE number, there was a flurry of them back in 2017/2018, and then a relatively quiet period, and activity on them seems to be picking back up recently.
there's been enough of them that
lscpu
on a Linux box will print out the vulnerabilities it knows about and whether there are any mitigations in place.from one of my laptops, for example, a Core i5-7200U which is from 2016 and so seems to require mitigations for a whole raft of them:
meanwhile, a much newer Ryzen 9 5900X requires mitigations for significantly fewer:
Huh, I really didn’t put together in my mind that zenbleed was really just another speculative execution bug like Spectre, but you’re totally right.
Pardon my ignorance, but what would be the process for applying this sort of patch to my personal machine?
I don't know. There is a git repo but practically speaking, maybe wait until there's an software update for whatever OS you're running?
Ah yes the practical solution was my interest. I wasn't sure if this sort of thing comes as an OS update or firmware update. Thanks!
Specifically, microcode is a firmware update, but it's a type of firmware that's shipped with the OS and loaded during boot. You don't need to manually update it separately from the OS.