"Foreshadow" vulnerability in Intel chips exposing L1 cache data to hackers

News by Jay Jay

A new speculative execution vulnerability in modern x86 microprocessors from Intel allows a malicious attacker to gain access to data stored in the L1 data cache of such microprocessors.

A new speculative execution vulnerability has been observed in modern x86 microprocessors from Intel that allows a malicious attacker to gain access to data stored in the L1 data cache of such microprocessors.

An attacker can achieve this by exploiting a speculative tendency in Intel processors which allows them to validate page table entries before completing the necessary validity checks. Such a tendency exists in Intel microprocessors to enable them to yield the most aggressive performance possible in a short period of time.

The said speculative execution vulnerability, termed as L1TF by the security industry and "Foreshadow" by a researcher who disclosed it to security firm Redhat, allows an attacker to carry out two exploits which have now been assigned vulnerability codes CVE-2018-3620 and CVE-2018-3646.

While the former allows an attacker to access L1 data cache of Intel microprocessors by exploiting the premature green-flagging of page table entries, the latter allows the attacker to exploit a hardware performance feature known as "Extended Page Tables" which allows Intel processors to assign the management of page tables to guest virtual machines before internal hypervisors take over.

The L1 data cache in an Intel microprocessor is supposed to be inaccessible to external entities and is normally protected by memory access security controls. It is small in size (32KB) compared to L2 or L3 cache but is considered to be more sensitive as it is closest to the processor functional units that perform the actual calculations within a programme.

Data stored in the L1 cache of Intel processors include copies of data also held in the external main memory chips. It is shared between two peer hyperthreads within an Intel processor core and is thus of great interest to attackers who intend to observe cache activity at all times.

As far as the vulnerability in the "Extended Page Tables" hardware feature is concerned, an attacker can cleverly exploit the fact that this feature assigns the management of page tables to guest virtual machines before the internal hypervisor takes over. This feature was introduced to reduce the 'overhead' caused by repeated assistance from the hypervisor.

According to security firm Redhat who disclosed the said vulnerabilities in x86 microprocessors, "a malicious guest is able to create a "not present" page table entry that will shortcut the normal two stages of translation, resulting in the guest being able to read host hypervisor or other guest physical memory if a copy exists in the L1 data cache".

Those who use systems powered by Intel's x86 microprocessors will have to remain vigilant against the exploitation of the said vulnerabilities either by a malicious user who can access data on the physical system or a malicious guest OS that can access information from other guests or the host.

Commenting on the disclosure of the L1TF vulnerability in Intel processors, Ken Spinner, VP of field engineering at Varonis told SC Magazine UK that since most companies are now managaging hybrid data stores with some of their data on-premises and some in the cloud, this creates an opportunity for hackers to gain access to enterprise data. Therefore, enterprise owners should never assume that their data is safe in the cloud and should take the necessary precautions to prevent the exfiltration of data.

"Cloud providers of virtual servers are more susceptible than on-premises networks in this instance because that's the most likely place you'd have one physical server housing dozens of virtual machines run by different companies. If the vulnerability could be successfully exploited, attackers could hit the jackpot," he added.

Jeff Ready, CEO of Scale Computing also told SC Magazine UK that the design flaw in Intel chips has left windows and Linux systems vulnerable as any device or services connected to the chips is essentially left at risk.

"The main focus is working in real time to identify the issues and look at what needs to be patched. Performance impacts will be seen across the industry. Systems that utilise software-defined storage via a mid-layer filesystem will likely experience the most impact. Many software-defined storage solutions, which use a mid-layer filesystem will likely have a much larger performance impact as a result of these fixes. After the patches and fixes roll out, we will be able to see the true extent of the impact," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews