On May 14, a new class of Intel CPU vulnerabilities was published by the microchip giant. Known as speculative execution side-channel vulnerabilities, they affect almost every Intel processor produced since 2011 – this includes a great number of servers, laptops, and smartphones. Crucially, its virtual machines on the public cloud are also impacted by these vulnerabilities.
What are the new Intel CPU Vulnerabilities?
The Intel CPU vulnerabilities — dubbed as MDS attacks (microarchitectural data sampling) — almost all involve the speculative execution design feature found in all modern processors. The vulnerabilities could leak arbitrary data from different CPU internal buffers: line fill buffers, load ports or store buffers.
Is this the Work of Cyber Criminals?
If everything you have read so far sounds technically dense, that’s because it is. These vulnerabilities are primarily theoretical – they were discovered by academics and, to our knowledge, haven’t yet been exploited in the wild in either distributed or targeted attacks.
While they may not have yet been touched by criminals, researchers have published a proof-of-concept exploit which demonstrates how the CPUs can leak sensitive data which has been written to the memory by the OS kernel, including root passwords hash.
What Should Skybox Customers Do?
It’s important to recognize that a logic flaw in a CPU isn’t the same as a software, or other, vulnerability. Short of changing your CPU, there’s little that you can do to fully resolve these vulnerabilities. Of course, doing so would be as impractical as it would be expensive. Like the Intel CPU vulnerabilities, this is a solution that exists better in theory than it does in practice.
What we’re left with instead are numerous mitigation strategies which emerge from collaborative work between CPU vendors (like Intel) and platform vendors (like Microsoft). What businesses need to do is gain and maintain awareness of any patches created and shared by the vendors and ensure that they are applied to all relevant platforms.