TPS-2019-003 Intel Microarchitectural Data Sampling (CVE-2018-12127, CVE-2018-12126, CVE-2018-12130, CVE-2019-11091)

Overview

This advisory covers four different vulnerabilities, collectively termed Microarchitectural Data Sampling (MDS):

  • Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127
  • Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126
  • Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130
  • Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091

These vulnerabilities impact customers running on the Triton Public Cloud and operators of Triton Enterprise software.

Understanding the Vulnerabilities

These vulnerabilities target different parts of the processor’s microarchitecture or implementation. Using speculative execution (a means similar to that used in the Meltdown and Spectre vulnerabilities), data that was left behind as part of servicing another operation on the processor can be read in another operation, regardless of hardware privilege boundaries. Unlike Meltdown, this does not allow an attacker to target a specific piece of information – rather they can only target data that has previously been used in these microarchitectural structures.

For additional information, please review Intel’s Security Advisory.

Impacted Processors

Most Intel Client and Server processors that use the Core (R), Xeon (R), and Atom (R) branding are impacted. However, some of the latest generation processors are not impacted.

At this time, most affected processors have microcode updates available. However, microcode is still in progress for some processors (Sandy Bridge-based Xeons) and microcode for older processors such as those based on Nehalem and Westmere is not being provided by Intel.

For an up-to-date list of processors and their microcode status, please see Intel’s Security Advisory.

Actions Taken by Joyent

This fix includes a combination of operating system and CPU microcode updates. These are in the process of being deployed to Joyent’s Triton Cloud (public cloud). Deployment necessitates a compute node reboot; we are making best effort to schedule those reboots with customers to minimize disruption.

We will also make available SmartOS updates for our software customers and are working with the broader illumos community to make these fixes available. For information, see the “Actions You Need to Take” section below.

Actions You Need to Take

Triton Public Cloud Customers

Joyent is in the process of ensuring that Triton public cloud customer instances are protected from these vulnerabilities. However, customers running hardware virtual machines should refer to instructions from their OS provider for additional steps to take:

  • RedHat
  • Debian
  • FreeBSD
  • Ubuntu
  • Windows

Triton Enterprise Software Customers

The software and CPU microcode fixes do not fully mitigate these security vulnerabilities when hyper-threading is enabled. Depending on the security profile of your use cases, you may need to disable hyper-threading. Following are the different details to be aware of when making this decision. If you’re unsure of the right decision for your environment, please contact Joyent Support.

When hyper-threading is enabled, a single physical core of a processor appears to the operating system as two independent logical CPUs. A different application can run on each of these logical CPUs at the same time. In the case of Triton, these applications may belong to different customers.

If multiple, untrusted parties are running in the same virtual machine or on the same physical hardware, then it may be possible to perform this attack. As part of Joyent’s mitigations for L1 Terminal Fault, hardware virtual machines employ a scheduling technique that ensures that the only threads running on another hyper-thread are those from the same virtual machine.

While meaningfully performing this attack is difficult, there may be cases where that risk is large enough that it may make sense to disable hyper-threading on such a system.

Open Source Triton Users

Please direct any further questions to The SmartOS Community Mailing Lists and IRC.

Support

If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.

As noted above, if you are an Open Source Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.