Nutanix Security Advisory Intel CPU Vulnerability MDS

Recently Nutanix released security advisory 14.v2 to aware about intel processor side channel vulnerability called Micro architectural Data Sampling (MDS).

MDS is addressed in hardware starting with select 8th and 9th Generation Intel® Core™ processors, as well as the 2nd Generation Intel® Xeon® Scalable processor family. More details can be found here. We expect all future Intel® processors include hardware mitigations addressing these vulnerabilities.

Read more Side Channel Vulnerability Microarchitectural Data Sampling

Summary

Nutanix Product Security was made aware of the latest Intel processor vulnerability, dubbed MDS (Micro architecture Data Sampling). These flaws require local shell access to a system, and if present and exploited could allow data in the CPU’s cache tobe exposed to unauthorized processes. These vulnerabilities are difficult to execute because of their local access requirement to the host or guest; However a skilled attacker could use these vectors to read memory from virtual or containerized instances, or the underlying host itself.

Issue Description

The Microarchitectural Data Sampling (MDS) family of vulnerabilities refers to a collection of speculative side-channel vulnerabilities, specifically:

CVE-2018-12126 – Microarchitectural Store Buffer Data Sampling (MSBDS)
CVE-2018-12127 – Microarchitectural Load Port Data Sampling (MLPDS)
CVE-2018-12130 – Microarchitectural Fill Buffer Data Sampling (MFBDS)
CVE-2019-11091 – Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

These vulnerabilities align to functions within modern Intel processors around Load Ports, Store Buffers and Fill Buffers. The Load Port data table is used to store addresses of CPU registers during the loading of data from memory or I/O subsystems. The Store Buffers are a shared buffer scheme that is used during STA (Store Address) and STD (Store Data) speculative operations, while Fill Buffers are used in non-speculative operations.

An attacker may use these mechanisms, under very specific circumstances, to later load and cause a fault in a manner that leaks stale data by way of a side-channel.The MDS UM vulnerability is a special case to the others in that it pertains to uncacheable memory, which was once believed safe in speculative side-channel attacks.

Read more Deep Dive: Intel Analysis of Microarchitectural Data Sampling

Impact

An attacker with local access could create a malicious untrusted user process on a trusted guest, or even an untrusted guest, and intercept and sample data and recent operations byway of a side-channel, including recently used memory or I/O port writes.

The types of data included are:

• Previous execution context, including process, guest or hypervisor, at the same privilege level.
• Higher privilege execution context in cases where the attacker’s execution was interrupted.

For data to be vulnerable, it must reside on the same core as the attacker. This does include, if Hyper-Threading is enabled, adjacent threads as well.An attacker is unable to target specific data with these vulnerabilities. Only sampling over a period of time and other methodologies could result in the exposure of meaningful data.

Risks

Attackers exploiting these vulnerabilities within the MDS announcement are unable to target specific data, and would require large inspection and collection periods along with analysis to glean any important data from this exploit.

Additionally, each vulnerability has only a local attack vector, meaning access to the local operating system is required along with the execution of malicious code, to perform the attack.

Therefore, within a single tenant environment that homes trusted systems, the overall risk is lower. However, in multi-tenant environments, or environments that do not house entirely trusted workloads, the risk stands as Moderate.

Nutanix AHV will receive updated microcode and kernel code first, since it has the higherrisk profile of UVM to Hypervisor vectors. Systems such as Nutanix AOS are considered trusted systems with mechanisms in place to ensure processes are protected and known and will receive updates post hypervisor.

If you run a hypervisor other than AHV, please consult with that vendor for updates as they are made available. Links are provided in the sources section for further information.

Affected Nutanix Products

Updates to processor microcode, and kernel, are required for mitigation.
Intel is releasing processor microcode updates (MCU) as part of our regular update process with OEMs. These are coupled with corresponding updates to operating system and hypervisor software.

BIOS Updates (Microcode)

Other Hypervisors Product

Mitigation

In addition to microcode and operating system updates there are two additional mitigations for concurrent attack vectors.

VMware vsphere ESXi

Enable the side-channel-aware scheduler.

Nutanix AHV

The Nutanix AHV scheduler load balancing behaviour is as follows:

• If system load < 50%, vCPUs belonging to two different VMs will not be maintained on the same logical core pairing.
• If system load > 50%, vCPUs belonging to two different VMs will not be on the same logical core pairing for a significant length of time.

This means it will be highly impractical (but not impossible) to build an inter-VM concurrent attack vector on a AHV with hyperthreading enabled.
Particularly if system load is typically below 50%.

To 100% mitigate the concurrent attack vector Hyper-threading can bedisabled at the hypervisor level via instruction in ​KB6137​.
Note that Nutanix does not recommend you disable hyper-threading.

Conclusion

Intel already had release fix patches to resolve this vulnerability to all OEMs and software vendor to mitigate this issue as soon as possible.
Please you need to wait for patches release from applicable vendors.

Thanks to being here.!