Foreshadow: While the chaos for the horrifying Spectre and Meltdown is still going, researchers discover another vulnerability in Intel CPUs that is even more robust. Two different groups of researchers discovered the vulnerability named “Foreshadow” and reported it to Intel. Upon further investigations, Intel found two more related flaws, which the researchers termed as “Foreshadow-NG”.
These vulnerabilities trigger speculative side-channel attacks, specifically targeting the Intel processors. Exploitation of these vulnerabilities by an attacker could allow him to steal the data stored in the victim’s computer, as well as third-party cloud systems.
Let’s take a look on this new side-channel vulnerability.
Foreshadow – Triggering Speculative Execution Side-Channel Attacks
In January, two different teams of researchers discovered a side-channel vulnerability in Intel CPUs. Independently, both the teams reported about it to Intel, after which Intel began further investigations and rolled out patches.
The researchers have termed the vulnerability as “Foreshadow”. Reportedly, Foreshadow resembles Spectre and Meltdown in nature. However, it is more robust to bypass the security measures employed against Meltdown and Spectre.
The key feature of Foreshadow is its ability to target Intel’s Software Guard Extensions (SGX) – a component previously insusceptible to Spectre and Meltdown flaws. SGX is a dedicated component in the latest Intel CPUs that holds and protects users’ data even under adverse attack situations. The previously discovered infamous side-channel vulnerabilities, Spectre and Meltdown could not target this component.
While explaining what Foreshadow could do, the researchers explained that an attacker could exploit the flaw to read the contents stored in SGX. They could even extract the device’s private attestation key.
The vulnerability (CVE-2018-3615) has been identified by Intel as L1 Terminal Fault: SGX. It has achieved a base score of 7.9 making it categorized under ‘High’ severity level. Intel has given the following description for this flaw.
Scan your Web Site and Network
“Systems with microprocessors utilizing speculative execution and Intel® software guard extensions (Intel® SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.”
Researchers have published their findings in a separate detailed paper. Whereas, much of the information about the vulnerability is also available on a dedicated web link.
Two More Related L1TF Variants Discovered by Intel
After receiving the reports about Foreshadow, Intel began with its investigations regarding the side-channel speculative execution flaws. Interestingly, they discovered two more related glitches that are equally robust but have slightly different targets. Together, the three vulnerabilities were labelled as L1 Terminal Fault (L1TF). Whereas, the researchers have called the latter two as ‘Foreshadow Next Generation” or “Foreshadow-NG”.
Both the vulnerabilities are also categorized under “High” severity levels, each receiving a base score of 7.1. Among these, the first L1TF variant (CVE-2018-3620), identified as “L1 Terminal Fault: OS/SMM” by Intel, involves the exploitation of a terminal page fault to access the stored data. As described by Intel,
“Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.”
On the other hand, the second L1TF variant, L1 Terminal Fault: VMM (CVE-2018-3646), gives an attacker the guest user privilege to attack a virtual machine. Intel explains it in the following way.
“Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.”
Summing up both the variants, these vulnerabilities target other system components apart from the CPU-SGX. These vulnerabilities are directed towards reading the data stored in the L1 data cache. This data includes information about the System Management Mode (SMM) memory, System Kernel Memory (OS), Hypervisors (VMM), and Virtual Machines (VMs). Foreshadow-NG may prove to be even more dangerous as it can exploit a VM running on a third-party cloud to take over the entire cloud infrastructure. This is because it blurs the inter-VM boundaries on a cloud system and accesses the data stored in VMs. Such vulnerabilities pose threat to giant cloud systems, such as Amazon’s AWS and Microsoft Azure.
Fortunately, these L1TF vulnerabilities have not been exploited yet. However, Intel confirms that L1TF could affect all SGX-enabled processors, such as the Skylake and Kaby Lake. Allegedly, Intel is working out to release patches to mitigate these vulnerabilities.
Scan your Web Site and Network