Blog

Visit often for current news, announcements, and insights.

Virtuozzo Guidance on the Microarchitectural Store Buffer Data (MDS) Vulnerability

Ivan Loginovskikh

Virtuozzo Announcements

VirtuozzoIntelMDSVulnerability

The Microarchitectural Store Buffer Data (MDS) is a series of the hardware vulnerabilities which allows speculative execution attacks on Intel processors. A malicious application or guest virtual machine can use this flaw to gain access to data stored in internal CPU buffers bypassing the security restrictions.

List of CVEs

CVE number

Name

Impact

Short description of the attacks

CVE-2018-12126

Microarchitectural Store Buffer Data Sampling (MSBDS)

Moderate

A side channel attack against CPU’s store buffers, also known as Fallout.

CVE-2018-12127

Microarchitectural Load Port Data Sampling (MLPDS)

Moderate

A side channel attack against CPU’s load ports.

CVE-2018-12130

Microarchitectural Fill Buffer Data Sampling (MFBDS)

Important

A side channel attack against CPU’s fill buffers, also known as RIDL or ZombieLoad.

CVE-2019-11091

Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

Moderate

A side channel attack against CPU’s fill buffers.

 

Advisory links

Platform

Status

Advisory link

Virtuozzo Infrastructure Platform 2.5

Released

https://help.virtuozzo.com/s/article/VZA-2019-041

Virtuozzo 7

Released

https://help.virtuozzo.com/s/article/VZA-2019-039

Virtuozzo 6 - Containers

Released

https://help.virtuozzo.com/s/article/VZA-2019-037

Virtuozzo 6 - Virtual Machines

Released

https://help.virtuozzo.com/s/article/VZA-2019-040

Virtuozzo 4.7

Released

https://help.virtuozzo.com/s/article/VZA-2019-036

Containers for Windows 6.0

Released

https://kb.virtuozzo.com/000017698

 

Mitigation

As soon as Virtuozzo updates are available, install the updates and reboot the server. Consider disabling Hyper-threading (see the discussion below).

 

Mitigation scenarios

  • Virtuozzo server is running containers only, no virtual machines

    • Install the update on the host server, reboot the server.

  • Virtuozzo server is running trusted virtual machines

    • Install the update on the host server and update the guest systems, reboot the server and guest virtual machines.

  • Virtuozzo server is running untrusted virtual machines

    • Along with the host and guests’ updates, it might be necessary to disable simultaneous multithreading (Hyper-threading) completely. This mitigation is not enabled by default due to significant performance impact.

SMT discussion

SMT (Hyper-threading in terms of Intel) technology improves system performance by utilizing two logical processors on each physical core. The MDS attacks allows a malicious virtual machine guest, running on one thread, to access data brought another thread.

The full mitigation of the vulnerability is not possible without disabling Hyper-threading. However, disabling the HT technology severely impacts the system performance. In case one still wants to disable SMT, there are two ways to do it:

  • Disable SMT (Hyper-threading, HT) in system BIOS, or

  • Pass the ‘nosmt’ flag as a kernel boot parameter in the GRUB configuration file.

Update history

14.05.2019: Initial publication.

16.05.2019: Added the advisory links for Virtuozzo 6 and Virtuozzo containers 4.7 kernel update.

17.05.2019: Added the advisory link for Virtuozzo containers for Windows.

18.05.2019: Added the advisory link for Virtuozzo 7.

20.05.2019: Added the advisory link for Virtuozzo 6 userspace update.

22.05.2019: Added the advisory link for Virtuozzo Infrastructure Platform.

Back