Advisory Overview
As with several other exploits targeted at how Intel processors handle digital operations, “Zombieload” is an exploit used by threat actors to compromise information being processed by an Intel CPU. Some vulnerabilities allow a threat actor to steal data by exploiting the methods that Intel processors use to “predict” what actions will be performed by software in order to speed up the overall work of a computer. Zombieload is one of several exploits discovered in recent months designed to take advantage of those vulnerabilities. While it was initially believed that Zombieload could only impact earlier Intel processors, a new variant of the exploit has been discovered that can impact even modern Intel processors; expanding the risk to all Intel chipsets. Due to the widespread nature of this issue, you should contact your IT team and/or your Managed Services Provider immediately to apply one of several fixes that can close the vulnerability and defend your systems.
Technical detail and additional information
What is the threat?
The Zombieload vulnerability, which was thought to only affect older Intel CPUs, is now back with a second variant which impacts the latest CPU’s from that manufacturer as well. Zombieload is an exploit that relies on the speculative execution process which is used by Intel CPUs to improve processing speeds. Zombieloadv2 can exploit the Intel CPU feature set known as transactional synchronization extensions (TSX). TSX is used to speed up processes through speculative execution, and includes the ability to manipulate the CPU to return to a previous memory point if any issues occur with a process. This methodology inadvertently created a vulnerability which can be exploited by threat actors; allowing them to obtain data from CPU memory such as passwords, browser history, and disk encryption keys when a process which held that data is rolled back. Many Windows and Linux users and administrators skip microcode updates and other firmware changes due to the downtime required to install them; leaving servers and desktops/laptops vulnerable to the exploit.
Why is this noteworthy?
Zombieload was previously believed to only be able to exploit vulnerabilities on older Intel CPU chipsets. An updated version of the exploit – Zombieloadv2 – permits the exploit to work against newer CPU’s, including several later models, leaving many more devices than originally thought at risk. As the corrective actions require downtime to implement, and as disabling of features like TSX can produce a drop in overall performance, a significant number of users and administrators did not perform the updates or workarounds if they were on newer generations of CPUs. Some users and administrators may be further hesitant to apply known fixes due to the performance impact of removing TSX, even when the system in question is at risk for a Zombieload attack.
What is the exposure or risk?
Zombieload has the ability to capture data processed through the CPU by manipulation of predictive systems – essentially by tricking those systems into rolling back operations and obtaining the data that is “discarded” during the roll back. As any data can flow through the CPU, even extremely sensitive information such as encryption keys and credentials could be exfiltrated from the CPU if the exploit is successful. Users that have the Intel 8th and 9th generation processors with TSX enabled are now vulnerable to the Zombieloadv2 exploit in addition to previous generations which were already vulnerable. Though threat actors need to gain access to the system in question, note that this access can be remote. This means, for example, that if a threat actor is able to gain remote access via any of many available RAT exploits and/or malware packages; they can also perform Zombieload exploits to harvest information.
What are the recommendations?
- [Windows] Disable TSX by doing the following registry change:
- reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel” /v DisableTsx /t REG_DWORD /d 1 /f
- [Linux] Follow the link here and determine the model-specific register that must be changed to disable TSX.
- Alternately, administrators may apply the latest Intel Microcode updates, instead of disabling TSX, to patch the issue.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.zdnet.com/google-amp/article/windows-linux-get-options-to-disable-intel-tsx-to-prevent-zombieload-v2-attacks/?__twitter_impression=true
- https://www.forbes.com/sites/daveywinder/2019/11/13/zombie-inside-intel-confirms-zombieload-2-security-threat/#1a06037c3f69
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00270.html
For more information, please contact our Security Operations Center.
