New “CacheOut” speculative execution vulnerability for Intel CPUs

The discoveries of the last few years concerning speculative execution have not been kind to Intel. The discovery of the Spectre and Meltdown vulnerabilities were just the beginning, with even more vulnerabilities identified since then, including SPOILER, Foreshadow, SwapGS, ZombieLoad, RIDL, and Fallout. A new vulnerability was added to that list yesterday.

The researchers have named this vulnerability “CacheOut” based on the exploitation’s ability to evict targeted data from the CPU’s cache memory. The landing page describes the uniqueness of this vulnerability:

[U]nlike previous MDS issues, we show in our work how an attacker can exploit the CPU’s caching mechanisms to select what data to leak, as opposed to waiting for the data to be available.

The paper (PDF), written by Stephan van Schaik, Marina Minkin, Andrew Kwong, Daniel Genkin, and Yuval Yarom, provides the above schematic overview and explains the exploit as follows:

At a high level, CacheOut forces contention on the L1-D cache to evict the data it targets from the cache. We describe two variants. First, in the case that the cache contains data modified by the victim, the contents of the cache line transits through the LFBs while being written to memory. Second, when the attacker wishes to leak data that the victim does not modify, the attacker first evicts the data from the cache, and then obtains it when it transits through the line fill buffers to satisfy a concurrent victim read.

CacheOut appears in the Common Vulnerabilities and Exposures system and National Vulnerability Database as CVE-2020-0549. Intel has given the vulnerability the title “L1D Eviction Sampling (L1Des) Leakage” and a severity rating of “medium” with a CVSS score of 6.5. You can find a full list of affected processors here. According to Intel’s advisory page for the vulnerability,

Intel will release Intel® Processor microcode updates to our customers and partners as part of our regular Intel Platform Update (IPU) process.

 

Intel recommends that users of affected Intel® Processors check with their system manufacturers and system software vendors and update to the latest microcode update when available.

0 0 votes
Article Rating
Nathan Wasson

Inquiring mind, tech journalist, car enthusiast, gamer.

Subscribe
Notify of
guest

7 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
cegras
cegras
2 years ago
Reply to  chuckula

Ah… the ends justify the means eh? As long as Intel is making money it’s okay. How quickly you swung from your previous stance that Intel has the superior product!

shank15217
shank15217
2 years ago
Reply to  chuckula

Genius comment Chuck, the point is if you were buying equipment today what would you buy? A bug ridden Intel chip or a lesser bug ridden AMD chip? Most people don’t even buy hardware anymore, so now you can put your compute in some data center far away and know that those cloud providers may or may not patch the latest bug before someone comes out with an exploit.

Krogoth
Krogoth
2 years ago
Reply to  DPete27

It is more like white-hats and grey-hats are just bored with trying to exploit stuff on the networking front and are moving onto greener pastures. CPUs haven’t been explored much as a possible attack vector until recent years. I suspect the ubiquity of VMs (trying get into them) on “cloud computing ecology” plays a large part in the recent uptake amount the white-hats and grey-hat crowd. Before that CPU exploitation was limited to having physical access to the system.

wownwow
wownwow
2 years ago

Who cares? With 245 security vulnerabilities, Intel has been pumping $Bs Q after Q, so what does it matter? People seem to be happy with paying more for MORE security vulnerabilities and the FREE patches! But facts are facts! AMD: No partial address, no related security vulnerabilities. Intel: Partial addresses inside, more related security vulnerabilities. AMD: 16 security vulnerabilities. Intel: 245 (including 2 and1 added on 1/27/2020 and 10/2019, respectively) security vulnerabilities, a 15:1 difference in AMD’s favor. The gap is just too large to ignore! About using partial addresses, a cheap design shortcut: People who live on a street… Read more »

zacharyt1122
zacharyt1122
2 years ago
Reply to  DPete27

Believing AMD is not subject to finding a slew of vulnerabilities is like saying go with Mac because Windows has too many viruses. I praise AMD for finally lighting a fire under Intel, but businesses are businesses. They are here to make money. And as of recently Intel is still seeing record profits, so I wouldn’t say the king has fallen off the throne yet.

chuckula
chuckula
2 years ago
Reply to  DPete27

Intel itself is actually finding many of the vulnerabilities in-house and this one is actually just a variant of older issues so it’s not like these are wholly unconnected. As for AMD smugness I’d remember two things: 1. The fallout from all of these supposedly horrible bugs is that Intel is making more money than it ever has after AMD launched all those 7nm products. 2. If you think AMD hardware has no bugs you are deluding yourself since a bunch of bugs have been fond already (including breaking into the trusted execution ARM cores in AMD chips) and that… Read more »

DPete27
DPete27
2 years ago

I sometimes wonder if AMD is sponsoring this vulnerability research. Between this and Intel’s inability to transition to a new process node OR revamp it’s architecture in any meaningful way in the past 5 years. The past couple years will go down in the history books as the fastest a king has ever fallen off their throne.

7
0
Would love your thoughts, please comment.x
()
x

Pin It on Pinterest

Share This

Share this post with your friends!