Comprehensive Guide to Mitigating the Intel MDS Bug: Protect Your Systems from ZombieLoad, Fallout, and RIDL
Thanks to a mistake, the VU (Vrije Universiteit Amsterdam) revealed a significant breach in Intel chips. New vulnerabilities, known as the Intel MDS bug (Microarchitectural Data Sampling), have been discovered in Intel hardware. These vulnerabilities, also referred to as ZombieLoad, Fallout, and RIDL, allow attackers to read almost any confidential data without additional rights. Although difficult to execute, a skilled attacker could use these flaws to read memory from a virtual or containerized instance or the underlying host system.
Understanding the Impact of the Intel MDS Bug
The Intel MDS bug poses a serious security threat. To mitigate these vulnerabilities, there is no known complete solution other than applying vendor software updates combined with hardware OEM-provided CPU microcode/firmware or using non-vulnerable microprocessors. All users should apply vendor solutions to patch their CPUs and update the kernel as soon as patches are available. Disabling SMT for affected systems will reduce some of the attack surface but will not completely eliminate all threats from these vulnerabilities.
Steps to Mitigate the Intel MDS Bug
To mitigate the risks introduced by the Intel MDS bug, systems need updated microcode, updated kernels, and virtualization patches. Administrators must evaluate if disabling SMT/HT is the right choice for their deployments. Enabling or disabling “hyper-threading” always takes place on the physical server or hypervisor. However, if a cloud provider is used, there is no influence other than checking with the provider. The problem is that switching off hyper-threading has a negative impact on performance.
Cloud Providers and the Intel MDS Bug
According to Amazon Web Services, their infrastructure is already protected: “AWS has designed and implemented its infrastructure with protections against these types of bugs and has also deployed additional protections for MDS. All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level.
Updates and Patches for the Intel MDS Bug
For many platforms, kernel upgrades are now available, as well as microcode updates for the affected CPUs. Both the hypervisors and the virtual servers must be provided with updates to protect against the Intel MDS bug.
The Intel MDS bug is a critical vulnerability that requires immediate attention. By applying the necessary updates and patches, and considering the impact of disabling SMT, users can protect their systems from these severe security threats.
Updates: Red Hat Enterprise Linux
Kernel updates:
Microcode updates:
Updates: CentOS Linux
Updates: Amazon Linux
Kernel updates:
Updates: Ubuntu Linux
Kernel updates:
Microcode updates:
Updates: Debian Linux
Updates: VMware Hypervisor
- Implementing Hypervisor-Specific Mitigations for Microarchitectural Data Sampling (MDS) Vulnerabilities
- VMware Security Advisories VMSA-2019-0008
Credits to Winfried de Heiden for doing all the research!
Comments are closed