Microarchitectural Data Sampling Vulnerabilities
For more information, please see:
Zebra is unaware of any active exploits of this vulnerability. However, we recommend concerned customers update software for the two impacted Zebra products to mitigate the risk of exploitation. No additional LifeGuard updates will be made.
Zebra takes security seriously and recommends that customers update to the latest BSP and accept monthly patches to minimize security risks.
Updates will be posted to each device support page as they are released.
Microarchitecture Data Sampling (MDS) is a name given to a collection of vulnerabilities that could potentially be exploited using the temporary buffers used to hold data. These vulnerabilities include:
Microarchitectural Store Buffer Data Sampling (MSBDS, CVE-2018-12126), aka Fallout
Microarchitectural Load Port Data Sampling (MLPDS, CVE-2018-12127), aka Rogue In-Flight Data Load (RIDL)
Microarchitectural Fill Buffer Data Sampling (MFBDS, CVE-2018-12130), aka Zombieload (and RIDL)
Microarchitectural Data Sampling Uncacheable Memory (MDSUM, CVE-2018-11091)
Intel's Security Software Guidance indicates speculative execution side channel methods can be used to expose data:
MDS may allow a malicious user who can locally execute code on a system to infer the values of protected data otherwise protected by architectural mechanisms. Although it may be difficult to target particular data on a system using these methods, malicious actors may be able to infer protected data by collecting and analyzing large amounts of data.
Zebra encourages customers to develop and maintain a regular software maintenance program. Zebra is actively working with operating system and processor vendors to provide remediation in a timely manner.
There are no reports of any successful reproduction of these vulnerabilities leading to a security issue on Intel-based Android devices.
Affected Zebra Products
These vulnerabilities potentially impact only Zebra tablets and one vehicle-mounted mobile computer (VC80x). No other Zebra products are affected.
The following products will require updates as a result of these vulnerabilities:
Disclaimer: Zebra makes every attempt to release security updates on or about the time that Google releases its respective security bulletin. However, delivery time of security updates may vary depending on the region, product model, and third party software suppliers. Under some circumstances, the OS must be updated to the latest maintenance release prior to installing the security updates. Individual product updates will provide specific guidance.
Unless otherwise noted, there have been no reports of active customer exploitation or abuse from these newly reported issues.
Are you aware of a potential security issue with a Zebra Technologies product?