Microarchitectural Data Sampling on Chrome OS (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) Vulnerability ImpactMicroarchitectural Data Sampling (MDS) is a group of vulnerabilities that allow an attacker to potentially read sensitive data. If Chrome processes are attacked, these sensitive data could include website contents as well as passwords, credit card numbers, or cookies. The vulnerabilities can also be exploited to read host memory from inside a virtual machine, or for an Android App to read privileged process memory (e.g. keymaster). See below for affected devices. Chrome OS ResponseTo protect users, Chrome OS 74 disables Hyper-Threading by default. For the majority of our users, whose workflows are primarily interactive, this mitigates the security risk of MDS without a noticeable loss of responsiveness. Chrome OS 75 will contain additional mitigations. Users concerned about the performance loss, such as those running CPU intensive workloads, may enable Hyper-Threading on a per machine basis. The setting is located at chrome://flags#scheduler-configuration. The "performance" setting chooses the configuration that enables Hyper-Threading. The "conservative" setting chooses the configuration that disables Hyper-Threading. Enterprises who wish to set Hyper-Threading policy organizationally may use the enterprise policy named “SchedulerConfiguration.” Hyper-Threading Policy GuidanceThe decision to disable or enable Hyper-Threading is a security versus performance tradeoff. With Hyper-Threading disabled, Intel CPUs may experience reduced performance, which varies depending on the workload. But, with Hyper-Threading enabled, users could execute code, such as by visiting a website or running an Android app, that exploits MDS to read sensitive memory contents. As of May 14th, 2019, Google is not aware of any active exploitation of the MDS vulnerabilities. Users and customers who process particularly sensitive data on their Chrome OS devices are nonetheless advised to disable Hyper-Threading as a measure of caution. Vulnerability DescriptionMicroarchitectural Data Sampling (MDS) refers to a set of speculative execution side-channel vulnerabilities which potentially allow results from previous execution on a core to be observed across security boundaries via microarchitectural state, on certain Intel CPUs. They are described in Intel's announcement, and referred to as MSBDS/CVE-2018-12126, MLPDS/CVE-2018-12127, MFBDS/CVE-2018-12130, and MDSUM/CVE-2019-11091. See below for more details. Microarchitectural Store Buffer Data Sampling (MSBDS) and Microarchitectural Fill Buffer Data Sampling (MFBDS)(CVE-2018-1212 and CVE-2018-12130 respectively) Intel CPUs use microarchitectural data structures known as the fill buffer and store buffer. The fill buffer contains loaded data pending insertion into the L1 cache. The store buffer contains stored data pending write to the memory subsystem. Concurrently executing threads, on the same physical CPU core, may potentially read the contents of prior entries for these buffers by observing timing side channels when speculatively executed. Microarchitectural Load Port Data Sampling (MLPDS)(CVE-2018-12127) Load ports are used by the CPUs to perform load operations from memory or I/O. The bus in the load ports may retain data from old operations, allowing one process to leak data from another process through speculative execution side channels. Microarchitectural Data Sampling Uncacheable Memory (MDSUM)(CVE-2019-11091) Uncacheable memory (UC) is read from RAM without filling the CPU’s cache with a new line. However, uncacheable memory does still move through the store buffers, fill buffers, and load ports;allowing data stored in UC regions to still be leaked via the mechanisms described above. Affected DevicesChrome OS devices with affected Intel CPUs, supported as of May 14th, 2019, are as follows:
|
Chromium OS >