The discoveries of the last few years concerning speculative execution have not been kind to Intel. The discovery of the Spectre and Meltdown vulnerabilities were just the beginning, with even more vulnerabilities identified since then, including SPOILER, Foreshadow, SwapGS, ZombieLoad, RIDL, and Fallout. A new vulnerability was added to that list yesterday.
The researchers have named this vulnerability “CacheOut” based on the exploitation’s ability to evict targeted data from the CPU’s cache memory. The landing page describes the uniqueness of this vulnerability:
[U]nlike previous MDS issues, we show in our work how an attacker can exploit the CPU’s caching mechanisms to select what data to leak, as opposed to waiting for the data to be available.
The paper (PDF), written by Stephan van Schaik, Marina Minkin, Andrew Kwong, Daniel Genkin, and Yuval Yarom, provides the above schematic overview and explains the exploit as follows:
At a high level, CacheOut forces contention on the L1-D cache to evict the data it targets from the cache. We describe two variants. First, in the case that the cache contains data modified by the victim, the contents of the cache line transits through the LFBs while being written to memory. Second, when the attacker wishes to leak data that the victim does not modify, the attacker first evicts the data from the cache, and then obtains it when it transits through the line fill buffers to satisfy a concurrent victim read.
CacheOut appears in the Common Vulnerabilities and Exposures system and National Vulnerability Database as CVE-2020-0549. Intel has given the vulnerability the title “L1D Eviction Sampling (L1Des) Leakage” and a severity rating of “medium” with a CVSS score of 6.5. You can find a full list of affected processors here. According to Intel’s advisory page for the vulnerability,
Intel will release Intel® Processor microcode updates to our customers and partners as part of our regular Intel Platform Update (IPU) process.
Intel recommends that users of affected Intel® Processors check with their system manufacturers and system software vendors and update to the latest microcode update when available.