Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Chat about just about anything else
User avatar
catweazel
Level 18
Level 18
Posts: 8881
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by catweazel » Wed May 15, 2019 2:24 am

Zombieload
Zombieload, another Intel processor side-channel attack, just like Meltdown and Spectre before it, poses a security threat for Linux systems.
https://www.zdnet.com/article/linux-vs-zombieload/

If, like me, you view the mitigations for Spectre, Meltdown, and now this new MDS side-channel attack as low risk, and provided that you trust your sources of software, you can turn them off by adding mitigations=off to the GrUB command line. The 4.15.0-50 kernel contains a mitigation for this new exploit, and new microcode is being pushed out with it. Be ready for unbootable systems...
¡uʍop ǝpısdn sı buıɥʇʎɹǝʌǝ os ɐıןɐɹʇsnɐ ɯoɹɟ ɯ,ı

User avatar
xenopeek
Level 24
Level 24
Posts: 23957
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by xenopeek » Wed May 15, 2019 8:45 am

There's a bunch of related exploits for Intel processors made public: RIDL, Zombieload (which builds on RIDL) and Fallout.

I find it worrying that RIDL can be exploited through JavaScript in web browsers (existing side-channel attack mitigations don't work) but Intel refused to inform Mozilla and Google in advance of publication. Intel also tried to keep the vulnerability under wraps for another 6 months and only went public now after pressure from the researchers who would otherwise have gone public. That's serving shareholders, not customers.

Funnily enough (not really), the hardware mitigations for Meltdown in the latest generation of Intel processors actually make them more vulnerable to Fallout than earlier generations that didn't have mitigation for Meltdown in hardware.

But like you say, it's not clear what actual risks this exposes users to.

AMD's response is a good poke at Intel:
At AMD we develop products and services with safety in mind. Based on our own analysis and discussions with the researchers, we believe that our products are not subject to 'Fallout', 'RIDL' and 'ZombieLoad', thanks to the hardware protection in our architecture. We have not been able to demonstrate these leaks in AMD's products, and we are not aware of others who have succeeded.
Image

gm10
Level 17
Level 17
Posts: 7439
Joined: Thu Jun 21, 2018 5:11 pm

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by gm10 » Wed May 15, 2019 9:01 am

I'm starting to feel I'm missing out with my older generation intel CPU:

Code: Select all

$ cat /sys/devices/system/cpu/vulnerabilities/mds
Not affected
:P

User avatar
xenopeek
Level 24
Level 24
Posts: 23957
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by xenopeek » Thu May 16, 2019 1:19 am

Hm. Mine says:
Mitigation: Clear CPU buffers; SMT disabled

SMT is always disabled, this chip doesn't have hyperthreading.
Image

User avatar
catweazel
Level 18
Level 18
Posts: 8881
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by catweazel » Thu May 16, 2019 1:43 am

xenopeek wrote:
Wed May 15, 2019 8:45 am
There's a bunch of related exploits for Intel processors made public: RIDL, Zombieload (which builds on RIDL) and Fallout.

...

Funnily enough (not really), the hardware mitigations for Meltdown in the latest generation of Intel processors actually make them more vulnerable to Fallout than earlier generations that didn't have mitigation for Meltdown in hardware.
Yes. I found that out shortly after posting.
¡uʍop ǝpısdn sı buıɥʇʎɹǝʌǝ os ɐıןɐɹʇsnɐ ɯoɹɟ ɯ,ı

User avatar
smurphos
Level 11
Level 11
Posts: 3724
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by smurphos » Fri May 17, 2019 1:49 am

On an i5-2430M with intel microcode 3.20190514 and kernel 4.15.0.50.

Code: Select all

steve@steve-HP-Pavilion-g6-Notebook-PC:~$ cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT vulnerable
There is no BIOS option to disable SMT/Hyper-threading on this machine so with kernel boot option nosmt set in grub

Code: Select all

steve@steve-HP-Pavilion-g6-Notebook-PC:~$ cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT disabled
There's definitely a noticeable negative impact on boot time disabling SMT. Specifically the userspace component of systemd-analyze consistently reports about 20-25% percent longer time (circa 10 seconds instead of circa 8 seconds) with SMT disabled. No impact on Cinnamon desktop load times (not surprising as I think Cinnamon runs a single thread). Will have to see what other activities are impacted.

It's interesting what different companies are doing - Google is disabling Hyperthreading across the board in ChromeOS running on Intel hardware for example - https://www.theregister.co.uk/2019/05/1 ... tigations/

Edit to add - again about a 20% performance reduction seen building the adapta themes from source (involves lots of png rendering with inkscape which maximises CPU on all available real and virtual cores). 4m:22s with SMT enabled, 5m:11s with SMT disabled.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

User avatar
thx-1138
Level 7
Level 7
Posts: 1803
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by thx-1138 » Fri May 17, 2019 6:03 am

...there were some benchmarks published on Phoronix few months ago,
specifically for Bionic & SMT if you're interested (under newer CoffeeLake)...

User avatar
xenopeek
Level 24
Level 24
Posts: 23957
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by xenopeek » Fri May 17, 2019 9:34 am

Phoronix have new article on performance impact of MDS / Zombieload mitigation:
https://www.phoronix.com/scan.php?page= ... ial-Impact
The default Linux mitigations for the new Microarchitectural Data Sampling (MDS) vulnerabilities (also known as "Zombieload") do incur measurable performance cost out-of-the-box in various workloads. That's even with the default behavior where SMT / Hyper Threading remains on while it becomes increasingly apparent if wanting to fully protect your system HT must be off.
Image

User avatar
sudo apt-get Linux
Level 1
Level 1
Posts: 48
Joined: Sat Oct 22, 2016 9:08 am
Location: LIGNUX LAND
Contact:

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by sudo apt-get Linux » Fri May 17, 2019 10:21 am

Linux Mint 19.1 Cinnamon 64-bit
Cinnamon 4.0.10
Kernel: 4.15.0-47-generic
Intel (R) Core(TM) i5-2520M CPU @ 2.50 GHz x 2
Ram: 8 Go

User avatar
littlehuman
Level 1
Level 1
Posts: 49
Joined: Sun Jan 07, 2018 7:41 pm

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by littlehuman » Sat May 25, 2019 2:07 pm

Thank you all for this useful information and details.

Do you think HT need to be off ad eternam or will some future software upgrades (either bios firmwares or kernel or intel microcode) allow us to re-enable it safely ?
Vs lbh nfxrq Oehpr Fpuarvre gb qrpelcg guvf, ur'q pehfu lbhe fxhyy jvgu uvf ynhtu.

User avatar
xenopeek
Level 24
Level 24
Posts: 23957
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by xenopeek » Sat May 25, 2019 2:31 pm

If you think the risks are tangible HT needs to be off on Intel CPUs. It's hard to pin what real world risks are of leaving HT on.

Maybe it is fixable in microcode but I'm not holding my breath for that. Maybe a future new generation CPU from Intel will redesign how HT works in silicon, to not have these holes.

I always thought price/performance made i5 CPU's the better buy so myself and family members all have i5's. Certainly now i5 comes in 6 cores.
Image

User avatar
littlehuman
Level 1
Level 1
Posts: 49
Joined: Sun Jan 07, 2018 7:41 pm

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by littlehuman » Sat May 25, 2019 6:55 pm

Thank you
Vs lbh nfxrq Oehpr Fpuarvre gb qrpelcg guvf, ur'q pehfu lbhe fxhyy jvgu uvf ynhtu.

User avatar
Portreve
Level 7
Level 7
Posts: 1846
Joined: Mon Apr 18, 2011 12:03 am
Location: Florida
Contact:

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by Portreve » Sun May 26, 2019 1:23 am

xenopeek wrote:
Wed May 15, 2019 8:45 am
I find it worrying that RIDL can be exploited through JavaScript in web browsers (existing side-channel attack mitigations don't work) but Intel refused to inform Mozilla and Google in advance of publication. Intel also tried to keep the vulnerability under wraps for another 6 months and only went public now after pressure from the researchers who would otherwise have gone public. That's serving shareholders, not customers.
Businesses are, on the whole, far more interested in profit and image than they are in anything else. They will cut corners and shaft customers and employees alike to save a buck (and claim this is them being "more efficient and cost-effective" than government) yet this is exactly why there's been the need, over the course of the last ~12 to 14 decades, to enact regulations restricting what they do and how they do it. It's my feeling that both Intel and AMD, even though AMD is claiming innocence this time, are going to cause brand new sorts of regulation¹ to be brought down on their own heads if this sort of thing continues to happen.

AMD's response is a good poke at Intel:
For now, perhaps, but I wouldn't trust them any more than Intel or anyone else.

At AMD we develop products and services with safety in mind. Based on our own analysis and discussions with the researchers, we believe that our products are not subject to 'Fallout', 'RIDL' and 'ZombieLoad', thanks to the hardware protection in our architecture. We have not been able to demonstrate these leaks in AMD's products, and we are not aware of others who have succeeded. [Emphasis added.]
Those are examples of parsing language and possibly even deflection. It's the language of a company out to save it's own hide.

¹ Of course, both of these companies are American, and in America there's a massive movement out there to cast regulation as being tantamount to government overreach, so it's unlikely at this time we will see anything other than token fines levied to make it appear as though something's being done.
I have to leave so I can get home by the time I arrive.

Presently rocking LinuxMint 19.1 Cinnamon.

Remember to mark your fixed problem [SOLVED].

User avatar
AZgl1500
Level 10
Level 10
Posts: 3415
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes sweeping down the plains
Contact:

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by AZgl1500 » Sun May 26, 2019 3:02 am

xenopeek wrote:
Thu May 16, 2019 1:19 am
Hm. Mine says:
Mitigation: Clear CPU buffers; SMT disabled

SMT is always disabled, this chip doesn't have hyperthreading.
Mine says:

$ cat /sys/devices/system/cpu/vulnerabilities/mds
$: command not found

User avatar
smurphos
Level 11
Level 11
Posts: 3724
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by smurphos » Sun May 26, 2019 3:15 am

AZgl1500 wrote:
Sun May 26, 2019 3:02 am
Mine says:

$ cat /sys/devices/system/cpu/vulnerabilities/mds
$: command not found
That would suggest you've not applied the kernel update that helps to mitigate against the vulnerability and reports that status

18.x - These kernels or later
4.4.0-148-generic 4.4.0-148.174
or
4.15.0-50-generic 4.15.0-50.54

19.x - These kernels or later
4.15.0-50-generic 4.15.0-50.54
or
4.18.0-20-generic 4.18.0-20.21

LMDE3
4.9.168-1+deb9u2 or later
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

gm10
Level 17
Level 17
Posts: 7439
Joined: Thu Jun 21, 2018 5:11 pm

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by gm10 » Sun May 26, 2019 3:33 am

nvm, see xenopeek below:
Last edited by gm10 on Sun May 26, 2019 4:20 am, edited 1 time in total.
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

User avatar
xenopeek
Level 24
Level 24
Posts: 23957
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by xenopeek » Sun May 26, 2019 3:40 am

No it means they copied the $ in front of the command; that's what the error says.
AZgl1500 wrote:
Sun May 26, 2019 3:02 am
Mine says:

$ cat /sys/devices/system/cpu/vulnerabilities/mds
$: command not found
Make sure you run the command as such:
cat /sys/devices/system/cpu/vulnerabilities/mds
Image

gm10
Level 17
Level 17
Posts: 7439
Joined: Thu Jun 21, 2018 5:11 pm

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by gm10 » Sun May 26, 2019 4:19 am

xenopeek wrote:
Sun May 26, 2019 3:40 am
No it means they copied the $ in front of the command; that's what the error says.
AZgl1500 wrote:
Sun May 26, 2019 3:02 am
Mine says:

$ cat /sys/devices/system/cpu/vulnerabilities/mds
$: command not found
Make sure you run the command as such:
cat /sys/devices/system/cpu/vulnerabilities/mds
Aha, lol, I had been mildly wondering what shell he was using to get that output but you saw through it all. Nice. :)
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

User avatar
smurphos
Level 11
Level 11
Posts: 3724
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by smurphos » Sun May 26, 2019 4:37 am

xenopeek wrote:
Sun May 26, 2019 3:40 am
No it means they copied the $ in front of the command; that's what the error says.
Doh.. :roll:

Still the kernel info may be useful for some.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

User avatar
AZgl1500
Level 10
Level 10
Posts: 3415
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes sweeping down the plains
Contact:

Re: Interest: Zombieload - Yet another major, exploitable Intel CPU flaw

Post by AZgl1500 » Sun May 26, 2019 6:19 am

xenopeek wrote:
Sun May 26, 2019 3:40 am
No it means they copied the $ in front of the command; that's what the error says.
AZgl1500 wrote:
Sun May 26, 2019 3:02 am
Mine says:

$ cat /sys/devices/system/cpu/vulnerabilities/mds
$: command not found
Make sure you run the command as such:
cat /sys/devices/system/cpu/vulnerabilities/mds
ah......... I had just updated and all was updated..... didn't see the new kernel.

Code: Select all

john@john-TP500LA ~ $  cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT vulnerable

john@john-TP500LA ~ $ inxi -S
System:    Host: john-TP500LA Kernel: 4.15.0-50-generic x86_64 (64 bit) Desktop: Cinnamon 3.6.7
           Distro: Linux Mint 18.3 Sylvia
john@john-TP500LA ~ $ 

SMT vulnerable

see, I was all fat, dumb and happy until I read this thread :shock:


So, should I add this to my Grub Command Line?

There is no BIOS option to disable SMT/Hyper-threading on this machine so with kernel boot option nosmt set in grub

Locked

Return to “Open chat”