CPUs Under Attack: ZombieLoad returns in new variant and TPM-FAIL vulnerabilities put billions of devices at risk

• ZombieLoad 2 works against older as well as recent Intel processors including Cascade Lake architecture.
• Encryption keys, passwords, and digital certificates of billions of device owners could be at risk due to the newly discovered vulnerabilities.

A group of university researchers reported ZombieLoad 2 attack on Intel's newer line of CPUs. The other team of researchers found two CPU vulnerabilities in the TPM chips manufactured by STMicroelectronics or firmware-based Intel TPMs.

In the headlines

A group of university researchers, who also helped uncover the infamous Spectre and Meltdown flaws, reported a new variant of ZombieLoad that exploits the Transactional Synchronization Extensions (TSX) Asynchronous Abort operation in Intel processors. Dubbed as CVE-2019-11135, ZombieLoad v2 works against older as well as recent Intel processors including Cascade Lake as per an advisory released by Intel. The first variant of ZombieLoad was discovered earlier this year in May.

Meanwhile, another team of cybersecurity researchers have recently disclosed the details of two severe CPU vulnerabilities:

• CVE-2019-11090 that affects Intel fTPM
• CVE-2019-16863 that affects STMicroelectronics TPM chip

These two flaws are together referred to as TPM-Fail vulnerabilities. It allows attackers to retrieve cryptographic keys protected inside Trusted Platform Module (TPM) chips which are part of many modern processors. The research team has also published a proof-of-concept exploit on Github. The affected chips are deployed in billions of devices including desktops, laptops, smartphones, servers, and Internet-of-Things (IoT) devices.

Threat potential of new findings

ZombieLoad v2, just like the Spectre and Meltdown, exploits the speculative execution technique modern microprocessors use to speed up their operation.

• Using this vulnerability, local attackers or malware running on a vulnerable machine can snoop on processor cores and steal sensitive data from the operating system kernel.
• An attacker with access to the system can lift passwords, keys, and more from other running software.

The TPM-Fail vulnerabilities, on the other side, can be exploited by an adversary to leverage a timing-based side-channel attack to recover cryptographic keys.

• According to researchers, "A privileged adversary can exploit the OS kernel to perform accurate timing measurement of the TPM, and thus discover and exploit timing vulnerabilities in cryptographic implementations running inside the TPM."
• Encryption keys, passwords, and digital certificates of billions of device owners could be at risk.

Patch Tuesday patched it all

As per Intel, the ZombieLoad v2 vulnerability (which Intel tracks as "TAA attack" in its own documentation) is not as threatening as claimed by the researchers.

• Yesterday, Intel released microcode (CPU firmware) updates addressing ZombieLoad v2.
• Intel and STMicroelectronics just released a patch for products affected with TMP-Fail vulnerabilities. These were, however, reported in February this year by the researchers.

Microsoft has provided customers with guidance to disable the Intel TSX capability on systems featuring vulnerable Intel processors to block potential ZombieLoad 2 attacks.

Article Updated on November 14 to mention guidance issued by Microsoft.