5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.7 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
0.001 Low
EPSS
Percentile
23.9%
! [](/Article/UploadPic/2019-5/2019515185455532. png)
Security personnel recently discovered for Intel processor of the new side channel attack, which is also following the earlier Meltdown, the Spectre and Foreshadow after a fairly serious security problems. This vulnerability may allow an attacker to obtain the current processor is processing the data.
For the speculative execution of the new attack mode
With three previous side-channel attacks in a similar way, the new attack is the use of the processor’s speculative execution problems in the process.
This vulnerability whereby the former involved in the Meltdown, the Spectre of vulnerability research on the part of the security personnel, as well as Bitdefender security personnel of the joint discovery, which is actually for the micro-architecture of the data sampling(MDS)attack, you can use the micro-architecture of the speculative execution of the operation to infer other applications on the processor in the data processing.
Currently such(MDS)attack has four kinds, respectively is directed to the storage buffer area of the attack CVE-2018-12126/Fallout, the loading buffer CVE-2018-12127, and a line fill buffer CVE-2018-12130/Zombieload/RIDL, and the memory area CVE-2019-11091 it. Wherein Zombieload is severity the highest, to be able to get the maximum amount of data.
The scope of the impact
Recently published research papers mentioned, since 2011 the release of all Intel processors is likely to be affected, especially the cloud hosting services may be subject to larger shocks. There are already part of the security personnel posted some demo videos, here you can watch(1、2、3)。 The demo showed Zombieload attack can achieve a breakthrough between applications of the privacy protection function to obtain sensitive information.
Bug fixes
Currently Intel has released a microcode update, and the new processor will not be affected. Expect Microsoft, Apple and Linux each release will also soon launch a system update to mitigate this vulnerability.
At the same time Intel also noted that the MDS attacks actually use the higher difficulty, its practical impact is not so large.
The current security personnel have been Zombieload establish a website and publish the research papers, bug fixes navigation and other content, the user can timely update: https://zombieloadattack.com/ the.
5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.7 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
0.001 Low
EPSS
Percentile
23.9%