RIDL, Fallout and ZombieLoad vulnerabilities

    Cybersécurité, Sécurité - Posted on 05/15/2019 by Edouard CAMOIN (3DS OUTSCALE)

    Recent articles refer to a new security vulnerability on Intel processors.

    For these vulnerabilities named RIDL, Fallout or ZombieLoad, you will find below the CVEs in question:

    protection données

    • CVE-2018-12127 Microarchitectural Load Port Data Sampling (MLPDS)
    • CVE-2018-12126 Microarchitectural Store Buffer Data Sampling (MSBDS)
    • CVE-2018-12130 Microarchitectural Fill Buffer Data Sampling (MFBDS)
    • CVE-2018-11091 Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

    To Intel's knowledge, there has been no use of these vulnerabilities outside the research community.

    The older generations of processors offered by 3DS OUTSCALE are currently impacted by these vulnerabilities. On the other hand, the new generations of processors (Skylake) are not affected.

    Given the complexity of the attack and the necessary prerequisites, the exploitation of these vulnerabilities remains highly theoretical. However, it is possible for 3DS OUTSCALE clients to ensure that they do not share hypervisors with other clients by using the Dedicated option (https://wiki.outscale.net/display/EN/About+Instances#AboutInstances-InstanceTenancyandDedicatedInstances). This makes it possible to mitigate vulnerability to external attackers with certainty.

    Also, an upgrade of our servers is planned in the coming days to mitigate some aspects of these vulnerabilities (including data targeting).

    We are of course keeping a continuous security watch on the subject. 3DS OUTSCALE works closely with Intel teams and other vendors to mitigate and correct such vulnerabilities as soon as they are discovered.

     

    Author: Edouard CAMOIN (3DS OUTSCALE)

    Depuis 2015, Edouard Camoin assure le rôle de Responsable de la Sécurité des Systèmes d’Information chez 3DS OUTSCALE. Sa mission s’articule autour de la gestion des risques liés à la sécurité de l’information et de l’implémentation des solutions de sécurité nécessaires à la protection des données hébergées par les clients de 3DS OUTSCALE. Edouard Camoin est titulaire d’un DUT Informatique de l’Université Paris Descartes et d’un Master en Sécurité des Systèmes d’Information de l’Université de Rouen. Il est également titulaire d’une certification ISO/CEI 27001 Lead Implementor depuis février 2018.

    Comments