RIDL, Fallout and ZombieLoad vulnerabilities

    Cybersécurité, Sécurité - Posted on 05/15/2019 by Edouard CAMOIN

    Recent articles refer to a new security vulnerability on Intel processors.

    For these vulnerabilities named RIDL, Fallout or ZombieLoad, you will find below the CVEs in question:

    protection données

    • CVE-2018-12127 Microarchitectural Load Port Data Sampling (MLPDS)
    • CVE-2018-12126 Microarchitectural Store Buffer Data Sampling (MSBDS)
    • CVE-2018-12130 Microarchitectural Fill Buffer Data Sampling (MFBDS)
    • CVE-2018-11091 Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

    To Intel's knowledge, there has been no use of these vulnerabilities outside the research community.

    The older generations of processors offered by 3DS OUTSCALE are currently impacted by these vulnerabilities. On the other hand, the new generations of processors (Skylake) are not affected.

    Given the complexity of the attack and the necessary prerequisites, the exploitation of these vulnerabilities remains highly theoretical. However, it is possible for 3DS OUTSCALE clients to ensure that they do not share hypervisors with other clients by using the Dedicated option (https://wiki.outscale.net/display/EN/About+Instances#AboutInstances-InstanceTenancyandDedicatedInstances). This makes it possible to mitigate vulnerability to external attackers with certainty.

    Also, an upgrade of our servers is planned in the coming days to mitigate some aspects of these vulnerabilities (including data targeting).

    We are of course keeping a continuous security watch on the subject. 3DS OUTSCALE works closely with Intel teams and other vendors to mitigate and correct such vulnerabilities as soon as they are discovered.


    Author: Edouard CAMOIN

    Since 2015, Edouard Camoin has been in charge of information systems security at 3DS OUTSCALE and his mission is to manage information security risk management and the implementation of security solutions necessary to protect data hosted by 3DS OUTSCALE's customers. Edouard Camoin holds a DUT in computer science from Paris Descartes University and a master's degree in information systems security from Rouen University. He obtained ISO/IEC 27001 Lead Implementer certification in February 2018.