Intel announced in May a Microarchitectural Data Sampling (MDS) problem that attackers could exploit to extract information from its processors despite their built-in safeguards. Today it revealed that MDS was an even bigger problem than many people realized by announcing a new TSX Asynchronous Abort (TAA) vulnerability. Intel also disclosed a new Jump Conditional Code (JCC) erratum today and released a patch that does have a performance impact (which we'll cover further below).
Only the researchers who discovered both security flaws said there's nothing new about TAA--they claimed to have disclosed the vulnerability to Intel over a year ago, but is just now seeing the light of day to the public.
A quick refresher on MDS: we said in May that it's "a speculative execution side-channel attack that may allow malicious actors to locally execute code to extract sensitive data that would otherwise be protected by Intel processors’ architectural mechanisms." The vulnerabilities affected basically every Intel processor--with the notable exception of those based on the company's Whiskey Lake, Atom, and Knights architectures--released between 2011 and 2018.
Intel said at the time that it would take significant changes to various operating systems and other core parts of PC software to fully address the MDS vulnerabilities. In the meantime, it recommended disabling Hyper-Threading, continuing the trend of side-channel attacks worsening Intel's simultaneous multi-threading technology. We found that its mitigations for the MDL vulnerabilities (among others) also had a significant effect on the performance of SSDs used by systems featuring Intel CPUs.
VUSec, CISPA, and other security organizations shared more information about MDS, TAA and related vulnerabilities on the "MDS Attacks" website. The groups said they disclosed the MDS flaw and TAA vulnerability to Intel in September 2018. Because they coordinated the public disclosure of those issues with Intel, they didn't say anything until May, but it turns out that even then they couldn't offer full details about the vulnerabilities or Intel's response to them to the public until today.
Today's update to MDS Attacks revealed TAA, alignment faults that give "an attacker yet another way of leaking data" in all but the most recent Intel processors, flawed MDS mitigations, and a new RIDL test suite that can be found on GitHub. The organizations also said in their TL;DR that "an attacker can mount a RIDL attack despite the in-silicon mitigations/microcode patches published in May 2019 being in place." (Which is the kind of TL;DR that makes people actually want to read more.)
Intel also revealed that TAA affects even more processors than the MDS vulnerabilities it shared in May. In the "Deep Dive: Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort" report it published today, the company said that certain Whiskey Lake, Cascade Lake, and Coffee Lake R processors that support its Intel TSX technology are affected by this vulnerability. That means even the company's latest processors aren't safe from these issues.
The company said, "malicious application software executed by an authenticated user may be able to infer the values of data accessed on the same physical core" by exploiting TAA. That means they could glean information about:
- Other applications
- Operating System (OS)
- System Management Mode (SMM)
- Intel Software Guard Extensions (Intel SGX) enclaves
- Virtual Machine Manager (VMM) if present
- Other guests running under the same VMM
More information about TAA is available via Intel's website and MDS Attacks.
But Wait, There's More!
The new TAA vulnerabilities weren't the only flaw affecting Intel processors revealed today. Phoronix reported on Jump Conditional Code (JCC) erratum affecting CPUs based on the Skylake architecture and its descendants. This is said to be "a bug involving the CPU's Decoded ICache" that meant "unpredictable behavior could happen when jump instructions cross cache lines." Intel released microcode updates to address the flaw, but unsurprisingly, that affected performance.
Phoronix said that "Intel's official guidance coming out today states their observed performance effects from this microcode update to be in the range of 0~4%" with some outliers. The outlet's benchmarks showed that the "microcode update does cause a hit of generally up to a couple percent," but with the caveat that in "select real-world workloads the impact is greater." Check out the full report for more info.