More side-channel vulnerabilities discovered in Intel CPUs

Infosec teams are moving to assess the potential fall-out of trying to mitigate three new bugs in Intel CPUs after the discovery of the latest speculative execution side-channel vulnerabilities.

Dubbed Foreshadow and Foreshadow-NG (which includes two variants) by the two teams of researchers who discovered them, they are similar to the Spectre and Meltdown side-channel issues revealed earlier this year. However, many point out that the Foreshadow twins might be more serious because the impact CPUs that support Intel Software Guard Extensions, which are supposed to be a memory security feature.

Intel refers to the trio of bugs as L1 Terminal Fault (L1TF) vulnerabilities, because they can result in unauthorized disclosure of information residing in the L1 data cache. Intel notes in its advisory that if exploited Foreshadow/Foreshadow-NG could compromise not only microprocessors but also operating systems, virtualization software, any maker’s CPU with system management mode. “If used for malicious purposes, this class of vulnerability has the potential to improperly infer data values from multiple types of computing devices.”

Affected CPUs are certain models of i3,i5, i7 and Xeon processors.

The good news is Intel was informed in January. Intel released microcode updates earlier in the year, and this week patches for operating systems and hypervisors.  Microsoft, VMware and others also released patches, while other hardware and software suppliers have said either their infrastructure has been updated (for example, Amazon Web Services) or they are working on releasing patches to software or to BIOS updates.  The bad news is infosec teams will have to test them to make sure there are no application impacts.

According to Security Week, Intel says it has not seen any significant performance impact introduced by the available mitigations, either on PCs or data center workloads.

The researchers who discovered these problems created this web page for more information.

The Carnegie-Mellon Computer Emergency Response Team (CERT) describes the three flaws like this:

CVE-2018-3615 – L1 Terminal Fault (L1TF) SGX – also known as Foreshadow or Foreshadow-SGX

Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via side-channel analysis. An unprivileged attacker can execute transient instructions, and once the processor determines that it should not have speculatively executed them, the changes are discarded and a page fault is issued. After the OS catches the fault, the user-level exception handler is called and the user can measure the secret enclave byte and use this to find the secret index in the CPU cache. 

CVE-2018-3620 – L1 Terminal Fault (L1TF) OS/SMM – also known as Foreshadow-OS

Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis. When the OS kernel decides to swap virtual memory, it may leave metadata in a page table after unmapping a virtual page that could point to a valid physical address that contains sensitive data. After the kernel clears this data, it produces a terminal fault while dereferencing the unmapped page. Even with the terminal fault, the L1 data cache still sends the unauthorized data on to the transient out-of-order execution in case the metadata present represents a cached physical address. The information that could be read by an attacker can include information from the operating system’s kernel (OS) and the System Management Mode (SMM). 

CVE-2018-3646 – L1 Terminal Fault (L1TF) VMM – also known as Foreshadow-VMM

Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis. Since a guest VM has control over the first address mapping, they can trigger terminal faults that allow them to transiently read any cached physical memory on the system, including memory from other VMs. Unlike L1TF OS/SMM, an attacker exploiting the virtual machine can control physical addresses used to access the L1 cache during transient instructions and even point to guest physical memory.