RIDL – Another MDS Attack that Live Patching Would Have Saved You From

Everyone has heard of Zombieload. Recently made known to the public, Zombieload is a Microarchitectural Data Sampling (MDS) attack that can reveal private data by breaking the privacy borders between apps. A lot of people were (rightfully) worried about Zombieload, and in the middle of May it was big news.

But the furore around Zombieload obscured the fact that there are two other MDS-related side channel attacks on the loose. All are weaknesses in Intel x86 microprocessors, and all are worrying.

One of these other two is RIDL, short for “Rogue In-Flight Data Load.” RIDL can be exploited by attackers to leak data from the vulnerable CPU’s internal buffers (chunks of allocated memory used to store and load data, such as Line-Fill Buffers and Load Ports). These leakages can include such critical information as passwords and personal data. RIDL even allows attackers to steal data from other programs running on the same system. The leak can occur with no assumptions on the state of the caches or translation data structures controlled by privileged software.

In short, RIDL exposes a CPU to system-wide attacks from arbitrary unprivileged code (including JavaScript in the browser). This is bad.

And, as with Zombieload and any other MDS Side Channel Attack, RIDL exposes the deficiencies in how most people protect their Linux kernels. 

In reaction to RIDL, Intel shipped microcode updates, and providers rolled out OS and hypervisor updates. But the only way to actually apply these much-needed updates is by rebooting, so you can patch the kernel. Most organizations cannot reboot their servers without scheduling it months in advance. During this delay, known major vulnerabilities lurk in their production systems – a very bad situation for security and compliance.

But with Kernelcare, you can update the microcode, disable SMT and apply the kernel patch TODAY with no reboot. On a VM, assuming your node is updated, you don’t even need to disable hyperthreading.

This is the future of dealing with vulnerabilities like RIDL: Rebootless kernel patching.

Get in touch today for a free demo of KernelCare.

Get a FREE 7-Day Supported Trial of KernelCare 

Read more:

• Zombieload 2: KernelCare Team is on it!
• Zombieload 2: The Patches for CVE-2018-12207 are in the Test Feed!
• SWAPGS: KernelCare patches on the way
• RIDL – Another MDS Attack that Live Patching Would Have Saved You From
• QEMU-KVM vhost/vhost_net Guest to Host Kernel Escape Vulnerability
• New vulnerability found in Linux kernel, patched by KernelCare
• SACK Panic & Slowness: KernelCare Live Patches Are Here
• L1 Terminal Fault (L1TF) patches are available
• Intel DDIO ‘NetCat’ Vulnerability Report
• Fallout – the MDS Side Channel Attack That Isn’t Zombieload