[sf-lug] Notification about ZombieLoad Attack vulnerabilities

aaronco36 aaronco36 at SDF.ORG
Fri May 17 08:07:01 PDT 2019 

I previously wrote:
> ================================
> References
> ================================
> [1]https://zombieloadattack.com/
> [2]https://techcrunch.com/2019/05/14/zombieload-flaw-intel-processors/
> [3]https://www.zdnet.com/article/intel-cpus-impacted-by-new-zombieload-side-channel-attack/
> [4]https://gizmodo.com/what-to-do-about-the-new-intel-chip-flaw-1834759126
> [5]https://www.reddit.com/r/linux/comments/booowk/zombieload_cross_privilegeboundary_data_leakage_a/
> [6]https://9to5mac.com/2019/05/14/intel-zombieload-vulnerability-mac/
> [7]https://www.zdnet.com/article/linux-vs-zombieload/
> ================================

And quoting Bobbie Sellers <bliss-sf4ever at dslextreme.com> :
> here is another URL that was referred to as cute.
> It does not seem to be a fully comprehensive list as
> it was said to be.  The answers to the questions are
> cute though.
> https://cpu.fail

Four factoids I note after viewing that "cute" URL, though, are....
a) The https://cpu.fail URL links directly back to reference [1] above for 
the Zombieload Attack vulnerability.

b) SJVN's article of reference [7] previously quoted above ends up 
referring to Red Hat's own MDS - Microarchitectural Data Sampling 
vulnerability site https://access.redhat.com/security/vulnerabilities/mds

c) Maybe the severity of the MDS vulnerabilities are stated precisely as 
they are or should be for "all users of Intel processors made since 2011" 
-- as stable Linux kernel maintainer Greg Kroah-Hartman himself bluntly 
states -- or maybe the vulnerability notifications on security sites such 
as the above are way too alarmist.
In either case, Red Hat rates the CVE-2018-12130 Microarchitectural Fill 
Buffer Data Sampling (MFBDS) vulnerability as having a distinctly 
"Important impact".
Quoting directly from 
https://access.redhat.com/security/updates/classification/ on what Red Hat 
considers an "Important impact":
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This rating is given to flaws that can easily compromise the 
confidentiality, integrity, or availability of resources. These are the 
types of vulnerabilities that allow local users to gain privileges, allow 
unauthenticated remote users to view resources that should otherwise be 
protected by authentication, allow authenticated remote users to execute 
arbitrary code, or allow remote users to cause a denial of service.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

d) Red Hat's MDS vulnerability site brought in (b) brought above has an 
"Impact" tab that lists the following Red Hat product versions that may be 
impacted by the MDS vulnerabilities:
* Red Hat Enterprise Linux 5
* Red Hat Enterprise Linux 6
* Red Hat Enterprise Linux 7
* Red Hat Enterprise Linux 8
* Red Hat Atomic Host
* Red Hat Enterprise MRG 2
* Red Hat OpenShift Online v3
* Red Hat Virtualization (RHV/RHV-H)
* Red Hat OpenStack Platform
** Those regularly working with these Red Hat products (and/or their 
CentOS and Fedora Linux equivalents) might even wish-to/have-to take extra 
note of the published MDS vulnerabilities, assuming that they haven't done 
so already :-|

Just saying....

-A

aaronco36 at sdf.org
-----------------------

More information about the sf-lug mailing list