Fallout – the MDS Side Channel Attack That Isn’t Zombieload

Everyone has heard of Zombieload. Recently made known to the public, Zombieload is a Microarchitectural Data Sampling (MDS) attack that reveals private data by breaking the privacy borders that exist between apps. Zombieload targets the load, store, and line fill buffers, used by the CPU for fast reads/writes of internal data. In mid-May, the discovery of Zombieload was big news.

But: Zombieload isn’t the only MDS-related side channel attack that you should be worried about. There are actually three such threats, all constituting weaknesses in Intel x86 microprocessors that leak data across protection boundaries that are architecturally supposed to be secure.

Fallout is another hardware vulnerability of this kind. It exploits a weakness in Intel CPUs to cause leakages in store buffers, which are used by the processor’s pipeline to hold data.

Get a FREE 7-Day Supported Trial of KernelCare 

Attackers are actually able to choose the type of data that is leaked from the buffer. Fallout can sidestep the Kernel Address Space Layout Randomization (KASLR) protection, which is meant to shield against memory corruption vulnerabilities. Unprivileged user processes can exploit Fallout to reconstruct privileged information recently written by the kernel.

In theory, any attacker running malicious code on a vulnerable machine, or pointing the victim toward some nefarious JavaScript, could exploit Fallout. They could extract information from the OS system kernel and processes, the Software Guard eXtensions (SGX) enclave, and CPU-internal operations. Somewhat ironically, it would seem that the countermeasures introduced by Intel in recent Coffee Lake Refresh i9 CPUs to prevent Meltdown make these CPUS more vulnerable to Fallout.

As with any other MDS Side Channel Attack, Fallout exposes the flaw in how most people protect their Linux kernels.

In reaction to Fallout, Intel shipped microcode updates, and various providers rolled out OS and hypervisor updates. But the only way to actually apply these updates is by rebooting the new kernel. Since most organizations cannot perform random reboots, they sit waiting until the next scheduled reboot cycle, which could be months away. And they delay in this way while known major vulnerabilities exist in their production systems – not an acceptable scenario for security and compliance.

But with Kernelcare, you can install the micro-code and kernel patch TODAY with no reboot. On a VM, assuming your node is updated, you don’t even need to disable hyperthreading.

This is the future of dealing with vulnerabilities like Fallout: Rebootless kernel patching.

Get in touch today for a free demo.

Read more:

• Zombieload 2: KernelCare Team is on it!
• Zombieload 2: The Patches for CVE-2018-12207 are in the Test Feed!
• SWAPGS: KernelCare patches on the way
• RIDL – Another MDS Attack that Live Patching Would Have Saved You From
• QEMU-KVM vhost/vhost_net Guest to Host Kernel Escape Vulnerability
• New vulnerability found in Linux kernel, patched by KernelCare
• SACK Panic & Slowness: KernelCare Live Patches Are Here
• L1 Terminal Fault (L1TF) patches are available
• Intel DDIO ‘NetCat’ Vulnerability Report