TSX Speculative Attack
A new speculative vulnerability called ZombieLoad 2, or TSX Asynchronous Abort, has been disclosed today that targets the Transactional Synchronization Extensions (TSX) feature in Intel processors.
Using this vulnerability, local attackers or malware can steal sensitive data from the operating system kernel or other processes.
Performance in modern CPUs is increased through speculative execution, a feature that runs instructions in advance of knowing if they are needed or not. If they are required, the task completes faster, otherwise the data is discarded.
Attacks that target this feature are called speculative execution side-channel attacks.
In May 2019, new speculative execution attacks called RIDL, Fallout, and ZombieLoad were disclosed that could allow a malicious program to steal sensitive data from memory locations that normally they could not access. This is demonstrated in the ZombieLoad video below.
While microcodes and software-based protections were released to mitigate these older vulnerabilities, it was disclosed today that a new version of the ZombieLoad attacks can bypass current defenses and even affect processors in the Intel Cascade Lake CPU family.
Targeting Intel Transactional Synchronization Extensions
In a new MDS attack titled "Transaction Asynchronous Abort" (TAA) being assigned CVE-2019-11135, the same researchers who discovered the ZombieLoad attacks also found a similar weakness in the Intel Transactional Synchronization Extensions (Intel TSX).
Intel TSX is a CPU feature that aims to improve performance by adding hardware transactional memory where all of the shared memory and the data it stores used altogether, discarded, or aborted altogether. This allows read and write operations to shared data without the performance overhead of lock-based memory access.
According to an advisory by Intel, aborting memory transactions may permit processes to compute the data found in other running processes; this includes the operating system kernel. In this context, sensitive data such as encryption keys, passwords, or other important information to be accessed by a malicious program or an attacker.
Intel TSX supports atomic memory transactions that are either committed or aborted. When an Intel TSX memory transaction is aborted, either synchronously or asynchronously, all earlier memory writes inside the transaction are rolled back to the state before the transaction start. While an Intel TSX asynchronous abort (TAA) is pending, certain loads inside the transaction that are not yet completed may read data from microarchitectural structures and speculatively pass that data to dependent operations. This may cause microarchitectural side effects, which can later be measured to infer the value of the data in the microarchitectural structures.
The weakness is in the abort stage, which also gives the name of the vulnerability, "Transaction Asynchronous Abort".
Intel states that this bug affects a wide range of Intel CPUs, including their Cascade Lake line of processors, which are not affected by other Microarchitectural Data Sampling (MDS) vulnerabilities such as Fallout and RIDL.
A demonstration of the ZombieLoad MDS attacks can be seen in the video below.
With today's November 2019 Patch Tuesday, Microsoft has released security updates that mitigate these vulnerabilities in Windows Server and Windows Client OS Editions.
The list of CPUs that Intel states are vulnerable can be found in the table below.
Product Collection
Product Names
Vertical Segment
CPUID
Platform ID
10th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-10510Y, i5-10310Y
Intel® Core™ Processor i5-10210Y, i5-10110Y
Intel® Core™ Processor i7-8500Y
Intel® Core™ Processor i5-8310Y, i5-8210Y, i5-8200Y
Intel® Core™ Processor m3-8100Y
Mobile
806EC
94
2nd Generation Intel® Xeon® Scalable Processors
Intel® Xeon® Platinum Processor 8253, 8256, 8260, 8260L, 8260M, 8260Y, 8268, 8270, 8276, 8276L, 8276M, 8280, 8280L, 8280M, 9220, 9221, 9222, 9242, 9282
Intel® Xeon® Gold Processor 5215, 5215L, 5215M, 5215R, 5217, 5218, 5218B, 5218N, 5218T, 5220, 5220R, 5220S, 5220T, 5222, 6222V, 6226, 6230, 6230N, 6230T, 6234, 6238, 6238L, 6238M, 6238T, 6240, 6240L, 6240M, 6240Y, 6242, 6244, 6246, 6248, 6252, 6252N, 6254, 6262V
Intel® Xeon® Silver Processor 4208, 4208R, 4209T, 4210, 4210R, 4214, 4214C, 4214R, 4214Y, 4215, 4216, 4216R
Intel® Xeon® Bronze Processor 3204, 3206R
Server
50657
BF
Intel® Xeon® W Processor Family
Intel® Xeon® Processor W-3275M, W-3275, W-3265M, W-3265, W-3245M, W-3245, W-3235, W-3225, W-3223, W-2295, W-2275, W-2265, W-2255, W-2245, W-2235, W-2225, W-2223
Workstation
50657
BF
9th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i9-9980HK, 9880H
Intel® Core™ Processor i7-9850H, 9750HF
Intel® Core™ Processor i5-9400H, 9300H
Mobile
906ED
22
9th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i9-9900K, i9-9900KF
Intel® Core™ Processor i7-9700K, i7-9700KF
Intel® Core™ Processor i5-9600K, i5-9600KF, i5-9400, i5-9400F
Desktop
906ED
22
Intel® Xeon® Processor E Family
Intel® Xeon® Processor E-2288G, E-2286M, E-2278GEL, E-2278GE, E-2278G
Workstation/ Server / AMT Server
906ED
22
10th Generation Intel® Core™ Processor Family
Intel® Pentium® Gold Processor Series
Intel® Celeron® Processor 5000 Series
Intel® Core™ Processor i7-10510U
Intel® Core™ Processor i5-10210U
Intel® Pentium® Gold Processor 6405U
Intel® Celeron® Processor 5305U
Mobile
806EC
94
8th Generation Intel® Core™ Processors
Intel® Core™ Processor i7-8565U, i7-8665U
Intel® Core™ Processor i5-8365U, i5-8265U
Mobile
806EC
94