Foreshadow Attacks — 3 New Intel CPU Side-Channel Flaws Discovered
2018 has been quite a tough year for Intel.
While the chip-maker giant is still dealing with Meltdown and Spectre processor vulnerabilities, yet another major speculative execution flaw has been revealed in Intel’s Core and Xeon lines of processors that may leave users vulnerable to cyber-attacks.
Dubbed Foreshadow, alternatively called L1 Terminal Fault or L1TF, the new attacks include three new speculative execution side-channel vulnerabilities affecting Intel processors.
The Foreshadow attacks could allow a hacker or malicious application to gain access to the sensitive data stored in a computer’s memory or third-party clouds, including files, encryption keys, pictures, or passwords.
The three Foreshadow vulnerabilities have been categorized into two variants:
Foreshadow (PDF) targets a new technology originally been designed to protect select code and users’ data from disclosure or modification, even if the entire system falls under attack:
- Intel Software Guard Extensions (SGX) — CVE-2018-3615
The new attack against SGX enclaves, which is resilient to Meltdown and Spectre attacks, may allow an unauthorized attacker to steal information residing in the L1 data cache—a protected portion of a chip’s core memory that holds things like passwords and encryption keys—via side-channel analysis.
“Foreshadow enables an attacker to extract SGX sealing keys, previously sealed data can be modified and re-sealed,” the researchers said. “With the extracted sealing key, an attacker can trivially calculate a valid Message Authentication Code (MAC), thus depriving the data owner from the ability to detect the modification.”
2.) Foreshadow: Next Generation (NG)
The second variant (PDF) includes two vulnerabilities, which target virtualization environments being used by large cloud computing providers like Amazon and Microsoft:
- Operating systems and System Management Mode (SMM) — CVE-2018-3620
- Virtualization software and Virtual Machine Monitors (VMM) — CVE-2018-3646
These flaws also disclose sensitive information residing in the L1 data cache, including the information stored in other virtual machines running on the same third-party cloud, with local user access or guest OS privilege via a terminal page fault and side-channel analysis.
“Using Foreshadow-NG, a malicious program running on the computer might be able to read some parts of the kernel’s data,” the researchers said. “As the kernel has access to data stored by other programs, a malicious program might be able to exploit Foreshadow-NG to access data belonging to other programs.”
Intel and Partners Releases Patches for Foreshadow Flaws
Since the mitigations available for Meltdown and Spectre are not sufficient to patch above mentioned-Foreshadow vulnerabilities, Intel and partners need to roll out new security patches at both software and microcode level.
“Foreshadow is different from Meltdown as it targets virtual machines and SGX in addition to data stored in the operating system’s kernel (which was targeted by Meltdown),” the researchers said.
You can see video demonstrations illustrating the Foreshadow vulnerabilities as well.
Since SGX is only supported in Intel processors, the Foreshadow bugs only affect Intel processors, though researchers have yet to test Foreshadow against ARM and AMD processors.
According to Intel, none of these attacks so far appear to have been seen in the wild, and the company has started releasing patches for all the new speculative execution flaws.