Three new speculative execution flaws found in Intel CPUs
Three new speculative execution flaws in Intel CPUs were found that impacts Intel's Software Guard Extensions ( SGX ) technology, its OS and system management mode ( SMM ) and hypervisor software. The three vulnerabilities found could allow attacks on Intel Core and Xeon processors, like the Spectre and Meltdown flaws discovered earlier in January, it could allow a hacker to steal sensitive information stored inside personal computers or third-party clouds. Two groups of researchers discovered one of the flaws ( CVE-2018-3615 ), which they're calling Foreshadow. Their detailed report found two closely related variants. They're collectively referred to as L1 Terminal Fault flaws.
L1TF is a speculative execution side channel cache timing vulnerability according to Intel. There are three varieties of L1TF that have been identified. Each variety of L1TF could allow unauthorized access to information in the L1 data cache, a small pool of memory within each processor core designed to store information about what the processor core is most likely to do next. These vulnerabilities come from a process called speculative execution in processors. It's used in microprocessors so that memory can read before the addresses of all prior memory writes are known. A hacker with local user access can use side channel analysis to get unauthorized access to information. Other Spectre class flaws have been discovered over the past half year since Spectre and the related Meltdown vulnerability were found, including side-channel variants 1, 2, 3, 3a, and 4. The three vulnerabilities: CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646, are high severity vulnuerabilities. Each attack can be exploited in a different ways to expose information residing in the L1 cache.
CVE-2018-3615, also referred to as Foreshadow, attacks Intel SGX enclaves technologysued by application developers seeking to protect select code and data from disclosure. This allows hackers the ability to steal any data protected via SGX secure memory. CVE-2018-3620 can be used to hack the OS kernel and SMM mode running on Intel processors. This implies that malicious applications may be able to infer the values of data in the operating system memory, or data from other applications. Malicious software running outside of SMM may be able to infer values of data in SMM memory. CVE-2018-3646 enables hackers to attack virtual machines, via virtualization software and Virtual Machine Monitors running on Intel processors. A malicious guest VM could infer the values of data in the VMM's memory.
Similar to Spectre and Meltdown, these vulnerabilities require the hacker to be able to run malicious code on the targeted systems. Therefore, the flaws are not directly exploitable against servers which do not allow the execution of untrusted code. The attacks would have to be sophisticated and require deep technical knowledge and some experience.
Foreshadow only affects Intel processors because SGX is only supported in Intel processors. Researchers have not tested Foreshadow on AMD or ARM processors. AMD stated that its processors are not affected by the new speculative execution attack variants and are are advising customers running AMD EPYC processors in their data centers not to implement Foreshadow related software patches.
Intel released new microcode for many processors affected by L1TF. The microcode modifies some operations to remove data from the L1D during certain privilege transitions. There's a warning, while these microcode updates provide important mitigations during enclave entry and exit, updated microcode by itself is not enough to protect against L1TF. Deploying OS and VMM updates is also required for full protection. Moving forward, L1TF will be addressed by changes in the process of making at the hardware level in future CPUS. According to Intel, these changes begin with the next generation Intel Xeon Scalable processors Cascade Lake, as well as new processors expected to launch later this year.