Foreshadow: New Speculative Execution Flaws Found in Intel CPUs
Researchers and several major tech companies on Tuesday disclosed the details of three new speculative execution side-channel vulnerabilities affecting Intel processors.
The flaws, tracked as Foreshadow and L1 Terminal Fault (L1TF), were discovered independently by two research teams, who reported their findings to Intel in January, shortly after the existence of the notorious Spectre and Meltdown vulnerabilities was made public.
There are three Foreshadow vulnerabilities:
- CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX)
- CVE-2018-3620, which impacts operating systems and System Management Mode (SMM)
- CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).
“Each variety of L1TF could potentially allow unauthorized disclosure of information residing in the L1 data cache, a small pool of memory within each processor core designed to store information about what the processor core is most likely to do next,” Intel said.
Researchers initially discovered the SGX vulnerability and Intel identified the two other issues while analyzing the cause of Foreshadow.
“While it was previously believed that SGX is resilient to speculative execution attacks (such as Meltdown and Spectre), Foreshadow demonstrates how speculative execution can be exploited for reading the contents of SGX-protected memory as well as extracting the machine’s private attestation key. Making things worse, due to SGX’s privacy features, an attestation report cannot be linked to the identity of its signer. Thus, it only takes a single compromised SGX machine to erode trust in the entire SGX ecosystem,” researchers said.
“[Foreshadow-NG] attacks can potentially be used to read any information residing in the L1 cache, including information belonging to the System Management Mode (SMM), the Operating System’s Kernel, or Hypervisor. Perhaps most devastating, Foreshadow-NG might also be used to read information stored in other virtual machines running on the same third-party cloud, presenting a risk to cloud infrastructure. Finally, in some cases, Foreshadow-NG might bypass previous mitigations against speculative execution attacks, including countermeasures to Meltdown and Spectre,” they explained.
The security holes impact Intel’s Core and Xeon processors. According to the company, the patches released for these vulnerabilities don’t have a significant impact on performance, either on PC clients or data center workloads.
There is no indication that these vulnerabilities have been exploited for malicious purposes. Impacted tech companies have released patches and mitigations, which should prevent attacks when combined with the software and microcode updates released in response to Meltdown and Spectre.
AMD says its products are not impacted by Foreshadow or Foreshadow-NG due to the company’s “hardware paging architecture protections.”
“We are advising customers running AMD EPYC™ processors in their data centers, including in virtualized environments, to not implement Foreshadow-related software mitigations for their AMD platforms,” AMD told SecurityWeek in an emailed statement.
Advisories and blog posts containing technical details on Foreshadow have been published by Microsoft, Cisco, Oracle, VMware, Linux kernel developers, the Xen Project, Red Hat, SUSE and others. The researchers who discovered Foreshadow have also set up a dedicated website where users can get more information.
Videos describing the vulnerabilities are available from the researchers who found Foreshadow and Red Hat: