TSX Speculative Attack

A new speculative vulnerability called ZombieLoad 2, or TSX Asynchronous Abort, has been disclosed today that targets the Transactional Synchronization Extensions (TSX) feature in Intel processors.

Using this vulnerability, local attackers or malware can steal sensitive data from the operating system kernel or other processes.

Performance in modern CPUs is increased through speculative execution, a feature that runs instructions in advance of knowing if they are needed or not. If they are required, the task completes faster, otherwise the data is discarded.

Attacks that target this feature are called speculative execution side-channel attacks.

In May 2019, new speculative execution attacks called RIDL, Fallout, and ZombieLoad were disclosed that could allow a malicious program to steal sensitive data from memory locations that normally they could not access. This is demonstrated in the ZombieLoad video below.

While microcodes and software-based protections were released to mitigate these older vulnerabilities, it was disclosed today that a new version of the ZombieLoad attacks can bypass current defenses and even affect processors in the Intel Cascade Lake CPU family.

Targeting Intel Transactional Synchronization Extensions
In a new MDS attack titled "Transaction Asynchronous Abort" (TAA) being assigned CVE-2019-11135, the same researchers who discovered the ZombieLoad attacks also found a similar weakness in the Intel Transactional Synchronization Extensions (Intel TSX).

Intel TSX is a CPU feature that aims to improve performance by adding hardware transactional memory where all of the shared memory and the data it stores used altogether, discarded, or aborted altogether. This allows read and write operations to shared data without the performance overhead of lock-based memory access.

According to an advisory by Intel, aborting memory transactions may permit processes to compute the data found in other running processes; this includes the operating system kernel. In this context, sensitive data such as encryption keys, passwords, or other important information to be accessed by a malicious program or an attacker.

Intel TSX supports atomic memory transactions that are either committed or aborted. When an Intel TSX memory transaction is aborted, either synchronously or asynchronously, all earlier memory writes inside the transaction are rolled back to the state before the transaction start. While an Intel TSX asynchronous abort (TAA) is pending, certain loads inside the transaction that are not yet completed may read data from microarchitectural structures and speculatively pass that data to dependent operations. This may cause microarchitectural side effects, which can later be measured to infer the value of the data in the microarchitectural structures.

The weakness is in the abort stage, which also gives the name of the vulnerability, "Transaction Asynchronous Abort".

Intel states that this bug affects a wide range of Intel CPUs, including their Cascade Lake line of processors, which are not affected by other Microarchitectural Data Sampling (MDS) vulnerabilities such as Fallout and RIDL.

A demonstration of the ZombieLoad MDS attacks can be seen in the video below.

With today's November 2019 Patch Tuesday, Microsoft has released security updates that mitigate these vulnerabilities in Windows Server and Windows Client OS Editions.

The list of CPUs that Intel states are vulnerable can be found in the table below.

Product Collection

Product Names

Vertical Segment

CPUID

Platform ID

10th Generation Intel® Core™ Processor Family

Intel® Core™ Processor i7-10510Y, i5-10310Y
Intel® Core™ Processor i5-10210Y, i5-10110Y

Intel® Core™ Processor i7-8500Y

Intel® Core™ Processor i5-8310Y, i5-8210Y, i5-8200Y
Intel® Core™ Processor m3-8100Y

Mobile

806EC

94

2nd Generation Intel® Xeon® Scalable Processors

Intel® Xeon® Platinum Processor 8253, 8256, 8260, 8260L, 8260M, 8260Y, 8268, 8270, 8276, 8276L, 8276M, 8280, 8280L, 8280M, 9220, 9221, 9222, 9242, 9282

Intel® Xeon® Gold Processor 5215, 5215L, 5215M, 5215R, 5217, 5218, 5218B, 5218N, 5218T, 5220, 5220R, 5220S, 5220T, 5222, 6222V, 6226, 6230, 6230N, 6230T, 6234, 6238, 6238L, 6238M, 6238T, 6240, 6240L, 6240M, 6240Y, 6242, 6244, 6246, 6248, 6252, 6252N, 6254, 6262V

Intel® Xeon® Silver Processor 4208, 4208R, 4209T, 4210, 4210R, 4214, 4214C, 4214R, 4214Y, 4215, 4216, 4216R

Intel® Xeon® Bronze Processor 3204, 3206R

Server

50657

BF

Intel® Xeon® W Processor Family

Intel® Xeon® Processor W-3275M, W-3275, W-3265M, W-3265, W-3245M, W-3245, W-3235, W-3225, W-3223, W-2295, W-2275, W-2265, W-2255, W-2245, W-2235, W-2225, W-2223

Workstation

50657

BF

9th Generation Intel® Core™ Processor Family

Intel® Core™ Processor i9-9980HK, 9880H
Intel® Core™ Processor i7-9850H, 9750HF
Intel® Core™ Processor i5-9400H, 9300H

Mobile

906ED

22

9th Generation Intel® Core™ Processor Family

Intel® Core™ Processor i9-9900K, i9-9900KF

Intel® Core™ Processor i7-9700K, i7-9700KF

Intel® Core™ Processor i5-9600K, i5-9600KF, i5-9400, i5-9400F

Desktop

906ED

22

Intel® Xeon® Processor E Family

Intel® Xeon® Processor E-2288G, E-2286M, E-2278GEL, E-2278GE, E-2278G

Workstation/ Server / AMT Server

906ED

22

10th Generation Intel® Core™ Processor Family

Intel® Pentium® Gold Processor Series

Intel® Celeron® Processor 5000 Series

Intel® Core™ Processor i7-10510U

Intel® Core™ Processor i5-10210U

Intel® Pentium® Gold Processor 6405U

Intel® Celeron® Processor 5305U

Mobile

806EC

94

8th Generation Intel® Core™ Processors

Intel® Core™ Processor i7-8565U, i7-8665U

Intel® Core™ Processor i5-8365U, i5-8265U

Mobile

806EC

94