The Required Kernel Upgrade
I SPOKE TO WES at sister mag PCGamer via Twitter about a month ago. He asked if he should update the kernel on his home server. I said that for most people, running the kernel that comes with your distro (with regular updates) is generally fine.
In the light of Zombieload, however, I’d caution users to really look at what kernel they’re running, and upgrade or change it if necessary. The name sounds like the title out of a bad horror movie, but once you figure out what it can do, it feels scary as hell to know such a thing was even possible.
First things first: If you haven’t updated your kernel on your Linux machines yet, go do so right now. At time of writing, the 4.9, 4.14, 4.19, 5.0, and 5.1 branches of Linux kernel have been updated with patches and backports to mitigate risk from the Zombieload vulnerability. If you are not on one of those branches, I recommend switching to a currently developed kernel, or check your distribution for any backports they may have coming down the pipe.
If you’re wondering if you should be scared, the answer is “probably yes.” Zombieload is a hell of an exploit, because it doesn’t have anything to do with the kernels of Windows, Linux, or MacOS, but rather with the architecture of Intel’s CPUs, and how Hyper-Threading is implemented. And it affects every Intel CPU made since 2011. (Somewhere on the Internet, a forum full of Team Red fans is bathing in the warm glow of Schadenfreude.)
Basically, Hyper-Threading CPUs find speedups by executing multiple branches of code in advance of the actual branch evaluation. If that doesn’t make sense, just imagine that it’s your friend’s birthday, and you want to bake them a cake. You know that they will either want devil’s food or angel’s food cake, but you’ll have to wait a half an hour until they get off work before they can tell you what they want. So, being the intrepid and loving friend you are, you bake both, and simply throw out the one that isn’t needed after your friend calls. This process is called speculative execution, and it’s part of why Intel Hyper-Threading CPUs are so heckin’ fast. It’s also their Achilles heel.
What Zombieload does is look at the cache that stores the results of the speculative execution results, and uses that information to read keystrokes, screens, or really just about everything. This should really worry multitenant systems and providers that offer virtual machines in the cloud, because code that uses the Zombieload exploit could be used to see anything that’s running on the same physical machine, even if it’s walled behind another VM.
The upshot to this is that for many personal-use Linux PCs, it is relatively unlikely that you’ll run such code, so long as you stick to trusted and signed packages from your distribution’s software repository. However, if you’re running an untrusted tool you find in a link on a website or a random git repo, you could be at risk. While Linux is generally more secure than Windows, exploits like Zombieload are a great example of why you shouldn’t just run any script you find on the Internet. If you don’t understand what a script’s or program’s code does, keep your software search within the confines of your distro’s repository. (TLC’s “Waterfalls” comes to mind.)
And again, if you haven’t thought about upgrading your kernel in a while, now is the time to do it. If you’re on a kernel that isn’t getting a backported patch, you need to switch to a supported kernel pronto. If you’re unsure about what kernel you’re using, you can check it with the console command
uname -r . As of time of writing, the current patched versions of the Linux kernel are 4.9.176, 4.14.119, 4.19.43, 5.0.16, and 5.1.2. Alex Campbell is a Linux geek who enjoys learning about computer security.
Zombieload is an example of why you shouldn’t just run any script you find on the Internet.