Intel processors are vulnerable to a speculative execution side-channel attack called L1 Terminal Fault (L1TF)
Vulnerability Note VU#982149
Original Release Date: 2018-08-15 | Last Revised: 2018-09-10
Overview
Intel processors are vulnerable to one or more L1 data cache information disclosure and terminal fault attacks via a speculative execution side channel. These attacks are known as L1 Terminal Fault: SGX, L1 Terminal Fault: OS/SMM, and L1 Terminal Fault: VMM.
Description
Speculative execution is a technique used by many modern processors to improve performance by predicting which instructions may be executed based on past execution history. When a program attempts to access data in memory, the logical memory address is translated to a physical address by the hardware. Accessing a logical or linear address that is not mapped to a physical location on the hardware will result in a terminal fault. Once the fault is triggered, there is a gap before resolution where the processor will use speculative execution to try to load data. During this time, the processor could speculatively access the level 1 data cache, potentially allowing side-channel methods to infer information that would otherwise be protected. More information about L1 terminal fault can be found here.
CWE-208: Information Exposure Through Timing Discrepancy
CVE-2018-3615 - L1 Terminal Fault (L1TF) SGX - also known as Foreshadow or Foreshadow-SGX
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via side-channel analysis. An unprivileged attacker can execute transient instructions, and once the processor determines that it should not have speculatively executed them, the changes are discarded and a page fault is issued. After the OS catches the fault, the user-level exception handler is called and the user can measure the secret enclave byte and use this to find the secret index in the CPU cache.
CVE-2018-3620 - L1 Terminal Fault (L1TF) OS/SMM - also known as Foreshadow-OS
Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis. When the OS kernel decides to swap virtual memory, it may leave metadata in a page table after unmapping a virtual page that could point to a valid physical address that contains sensitive data. After the kernel clears this data, it produces a terminal fault while dereferencing the unmapped page. Even with the terminal fault, the L1 data cache still sends the unauthorized data on to the transient out-of-order execution in case the metadata present represents a cached physical address. The information that could be read by an attacker can include information from the operating system's kernel (OS) and the System Management Mode (SMM).
CVE-2018-3646 - L1 Terminal Fault (L1TF) VMM - also known as Foreshadow-VMM
Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis. Since a guest VM has control over the first address mapping, they can trigger terminal faults that allow them to transiently read any cached physical memory on the system, including memory from other VMs. Unlike L1TF OS/SMM, an attacker exploiting the virtual machine can control physical addresses used to access the L1 cache during transient instructions and even point to guest physical memory.
Impact
An attacker with the ability to execute arbitrary code, with or without root privileges, can infer the contents of operating system, application, or SMM memory (CVE-2018-3620), secure SGX enclave memory (CVE-2018-3615), or memory used by virtual machines on the same host as the attacker (CVE-2018-3646).
Only some Intel processors are affected by these vulnerabilities. Please see INTEL-SA-00161 for details.
Solution
Apply BIOS and OS updates
Only some Intel processors are impacted by CVE-2018-3615, as older ones are not SGX capable. Please see the full list of affected products here.
Mitigating all three vulnerabilities requires microcode updates provided by Intel and are typically delivered by OEM vendors through BIOS updates. The status of available microcode can be found here.
Mitigating CVE-2018-3620 (OS/SMM) requires updates to operating system software.
Mitigating CVE-2018-3646 (VMM) requires updates to operating system and virtualization software.
Disable Hyper-threading
CVE-2018-3646 (VMM) can also be mitigated by disabling hyper-threading. If microcode, BIOS, OS, and virtualization software has been updated on both hosts and guests, it is not necessary to disable hyper-threading.
Perform TCB Recovery
Out of concern that an attacker could have compromised secret SGX keys using CVE-2018-3615, consider re-keying trusted computing base and SGX applications. This can be achieved by updating the BIOS and receiving an update from the application’s support team.
Security researchers have identified a speculative execution side-channel method called L1 Terminal Fault (L1TF). This method impacts select microprocessor products supporting Intel® Software Guard Extensions (Intel® SGX). Further investigation by Intel has identified two related applications of L1TF with the potential to impact additional microprocessors, operating systems, system management mode, and virtualization software. If used for malicious purposes, this class of vulnerability has the potential to improperly infer data values from multiple types of computing devices. Intel is committed to product and customer security and to coordinated disclosure. We worked closely with other technology companies, operating system, and hypervisor software vendors, developing an industry-wide approach to mitigate these issues promptly and constructively. For facts about these new exploits, technical resources, and steps you can take to help protect systems and information please visit: https://www.intel.com/securityfirst.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Credit goes to the following researchers for L1TF SGX: Jo Van Bulck of imec-DistriNet, KU Leuven, Marina Minkin of Technion, Ofir Weisse, Daniel Genkin, and Baris Kasikci of the University of Michigan, Frank Piessens of imec-DistriNet, KU Leuven, Mark Silberstein of Technion, Thomas F. Wenisch of the University of Michigan, Yuval Yarom of University of Adelaide and Data61, and Raoul Strackx of imec-DistriNet, KU Leuven.
L1TF OS/SMM and L1TF VMM were found internally by Intel researchers after expanding on the research of L1TF SGX.