UNDER ATTACK?

Foreshadow – Intel CPUs Affected By L1TF Vulnerabilities

Foreshadow: While the chaos for the horrifying Spectre and Meltdown is still going, researchers discover another vulnerability in Intel CPUs that is even more robust. Two different groups of researchers discovered the vulnerability named “Foreshadow” and reported it to Intel. Upon further investigations, Intel found two more related flaws, which the researchers termed as “Foreshadow-NG”.

These vulnerabilities trigger speculative side-channel attacks, specifically targeting the Intel processors. Exploitation of these vulnerabilities by an attacker could allow him to steal the data stored in the victim’s computer, as well as third-party cloud systems.

Let’s take a look on this new side-channel vulnerability.

Foreshadow – Triggering Speculative Execution Side-Channel Attacks

In January, two different teams of researchers discovered a side-channel vulnerability in Intel CPUs. Independently, both the teams reported about it to Intel, after which Intel began further investigations and rolled out patches.

The researchers have termed the vulnerability as “Foreshadow”. Reportedly, Foreshadow resembles Spectre and Meltdown in nature. However, it is more robust to bypass the security measures employed against Meltdown and Spectre.

The key feature of Foreshadow is its ability to target Intel’s Software Guard Extensions (SGX) – a component previously insusceptible to Spectre and Meltdown flaws. SGX is a dedicated component in the latest Intel CPUs that holds and protects users’ data even under adverse attack situations. The previously discovered infamous side-channel vulnerabilities, Spectre and Meltdown could not target this component.

While explaining what Foreshadow could do, the researchers explained that an attacker could exploit the flaw to read the contents stored in SGX. They could even extract the device’s private attestation key.

The vulnerability (CVE-2018-3615) has been identified by Intel as L1 Terminal Fault: SGX. It has achieved a base score of 7.9 making it categorized under ‘High’ severity level. Intel has given the following description for this flaw.

 

Start your Free Trial
Scan your Web Site and Network

 

 

“Systems with microprocessors utilizing speculative execution and Intel® software guard extensions (Intel® SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.”

Researchers have published their findings in a separate detailed paper. Whereas, much of the information about the vulnerability is also available on a dedicated web link.

Two More Related L1TF Variants Discovered by Intel

After receiving the reports about Foreshadow, Intel began with its investigations regarding the side-channel speculative execution flaws. Interestingly, they discovered two more related glitches that are equally robust but have slightly different targets. Together, the three vulnerabilities were labelled as L1 Terminal Fault (L1TF). Whereas, the researchers have called the latter two as ‘Foreshadow Next Generation” or “Foreshadow-NG”.

Both the vulnerabilities are also categorized under “High” severity levels, each receiving a base score of 7.1. Among these, the first L1TF variant (CVE-2018-3620), identified as “L1 Terminal Fault: OS/SMM” by Intel, involves the exploitation of a terminal page fault to access the stored data. As described by Intel,

“Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.”

On the other hand, the second L1TF variant, L1 Terminal Fault: VMM (CVE-2018-3646), gives an attacker the guest user privilege to attack a virtual machine. Intel explains it in the following way.

“Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.”

Summing up both the variants, these vulnerabilities target other system components apart from the CPU-SGX. These vulnerabilities are directed towards reading the data stored in the L1 data cache. This data includes information about the System Management Mode (SMM) memory, System Kernel Memory (OS), Hypervisors (VMM), and Virtual Machines (VMs). Foreshadow-NG may prove to be even more dangerous as it can exploit a VM running on a third-party cloud to take over the entire cloud infrastructure. This is because it blurs the inter-VM boundaries on a cloud system and accesses the data stored in VMs. Such vulnerabilities pose threat to giant cloud systems, such as Amazon’s AWS and Microsoft Azure.

Fortunately, these L1TF vulnerabilities have not been exploited yet. However, Intel confirms that L1TF could affect all SGX-enabled processors, such as the Skylake and Kaby Lake. Allegedly, Intel is working out to release patches to mitigate these vulnerabilities.

 

Start your Free Trial
Scan your Web Site and Network

 

 

 

SegmentSmack – A TCP Vulnerability Targeting Linux 4.9
EE Security Vulnerabilities In Their Online Portals
NAVIGATION
TINEXTA CYBER S.P.A.

COMPANY SUBJECT TO MANAGEMENT AND COORDINATION
OF TINEXTA S.P.A.

Registered office Piazza Sallustio 9, 00187 Rome
REA RM–1626691 | VAT number/tax code 15971011000 |
Cap.Soc. €1,000,000

© 2024 | Tinexta Cyber S.p.A.

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.