Intel on Monday informed customers that researchers have identified yet another speculative execution attack method that can be launched against systems that use its processors.
The disclosure of the Meltdown and Spectre vulnerabilities back in January 2018 paved the way for the discovery of several speculative execution side-channel attack methods impacting modern processors. While some attacks have impacted CPUs from other vendors as well, Intel chips seem to be the most affected.
In May 2019, researchers disclosed the existence of new attack methods that rely on Microarchitectural Data Sampling (MDS) vulnerabilities. These attacks, dubbed ZombieLoad, RIDL and Fallout, can allow malicious applications to obtain potentially sensitive information from applications, the operating system, virtual machines and trusted execution environments. Exposed data can include passwords, website content, encryption keys and browser history.
When the MDS flaws were disclosed, researchers said they impacted Intel processors made in the past decade, except for some newer models. However, in November 2019, experts revealed a new method, dubbed ZombieLoad Variant 2, that also worked against processors containing hardware mitigations for MDS attacks, including Intel Xeon Gold and Core i9 processors.
Researchers have now disclosed yet another MDS attack, which has been dubbed CacheOut and L1D Eviction Sampling (L1DES). The underlying vulnerability was independently discovered by the VUSec group at VU Amsterdam and a team from the TU Graz and KU Leuven universities. A researcher from the University of Michigan was affiliated with VU Amsterdam at one point during the research and the University of Michigan has also published a separate research paper following an analysis conducted in collaboration with a researcher at the University of Adelaide in Australia.
According to researchers at the University of Michigan, which have dubbed the vulnerability CacheOut, this attack can bypass the hardware protections in many Intel CPUs and allows the attacker to select what data they want to leak rather than waiting for the data to be available.
Intel, which tracks the vulnerability as CVE-2020-0549 and assigned it a CVSS score of 6.5, refers to it as L1D Eviction Sampling, as it allows an attacker to read from the CPU’s L1 Data Cache.
The company says it’s working on microcode updates that should address the issue. In the meantime, researchers have proposed various measures that should prevent attacks, including disabling hyper-threading, flushing the L1 cache, and disabling the TSX feature.
It’s worth noting that CacheOut/L1DES attacks require local access to the targeted system and attacks from a web browser are not possible.
University of Michigan researchers noted that some Intel processors released after the fourth quarter of 2018 may not be impacted as Intel inadvertently introduced some partial mitigations with the microcode updates designed to address ZombieLoad Variant 2.
Processors made by AMD are not impacted and the researchers said they have yet to determine if CacheOut attacks can be launched against chips from Arm and IBM.
VUSec researchers, who have described L1DES as a new variant of the RIDL attack, have also disclosed a second vulnerability, which they and Intel track as Vector Register Sampling (VRS). This flaw, Intel says, is less severe as the attack complexity is high and the chances of an attacker obtaining relevant data are low. VRS is also considered a new variant of the RIDL attack.