While PC makers are still deploying security patches to fix the deadly Spectre and Meltdown vulnerabilities in Intel, AMD and other branded chips in computers, a new flaw--'Foreshadow'— with similar traits and possibly more deadly impact has been detected in the latest Intel-powered smart devices.
Like Spectre and Meltdown, hackers can use Foreshadow attack mode to use speculative execution process to access privileged memory such as passwords, encryption keys, and sensitive information. This also includes that of the kernel—from a less-privileged user process like a malicious app running on a device.
For those unaware, speculative execution is a technique used by most modern processors (CPUs) to optimise performance. The CPU, in its bid to increase the performance, predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before it is completed. If the prediction is wrong, this speculative execution is rolled back in a way that is intended to be invisible to the software.
What makes Foreshow more deadly than Spectre and Meltdown is that it can bypass the Intel's most secure feature -- Software Guard Extensions (SGX) -- that was introduced with Sky Lake processors. It creates a well-protected enclave where the important process gets executed and also sensitive information gets stored. When the computer is compromised, the SGE is supposed to protect the data inside it. However, researchers have found that even SGE is vulnerable and can be breached by hackers using the Foreshadow vulnerability.
Intel has acknowledged the existence of the Foreshadow vulnerability in its chipsets. The company is calling it 'L1 Terminal Fault' and has found that the flaw can be exploited in three different environments as mentioned below.
- L1 Terminal Fault-SGX (CVE-2018-3615)—Systems with microprocessors utilizing speculative execution and Intel SGX may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via side-channel analysis.
- L1 Terminal Fault-OS/ SMM (CVE-2018-3620)—Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis.
- L1 Terminal Fault-VMM (CVE-2018-3646)—Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and side-channel analysis.
The company has also released new microcode for many processors affected by L1TF. It is said to modify some operations to implicitly remove data from the L1D during certain privileged transitions. It also provides a method by which software can explicitly flush the L1D by writing 1 to bit 0 of a new model specific register, IA32_FLUSH_CMD (MSR 0x10B).
"L1 Terminal Fault is addressed by microcode updates released earlier this year, coupled with corresponding updates to operating system and hypervisor software that are available starting today (15 August)," Intel spokesperson said to International Business Times, India Edition.
Intel has urged System manufacturers and system software vendors to provide these microcode changes via BIOS updates.
However, while these microcode updates provide important mitigation during enclave entry and exit, updated microcode by itself is not sufficient to protect against L1TF. Deploying OS and VMM updates is also required to mitigate L1TF, the company said.