Tuesday, January 28th 2020
CacheOut is the Latest Speculative Execution Attack for Intel Processors
Another day, another speculative execution vulnerability found inside Intel processors. This time we are getting a new vulnerability called "CacheOut", named after the exploitation's ability to leak data stored inside CPU's cache memory. Dubbed CVE-2020-0549: "L1D Eviction Sampling (L1Des) Leakage" in the CVE identifier system, it is rated with a CVSS score of 6.5. Despite Intel patching a lot of similar exploits present on their CPUs, the CacheOut attack still managed to happen.
The CacheOut steals the data from the CPU's L1 cache, and it is doing it selectively. Instead of waiting for the data to become available, the exploit can choose which data it wants to leak. The "benefit" of this exploit is that it can violate almost every hardware-based security domain meaning that the kernel, co-resident VMs, and SGX (Software Guard Extensions) enclaves are in trouble. To mitigate this issue, Intel provided a microcode update to address the shortcomings of the architecture and they recommended possible mitigations to all OS providers, so you will be protected once your OS maker releases a new update. For a full list of processors affected, you can see this list. Additionally, it is worth pointing out that AMD CPUs are not affected by this exploit.
Source:
CacheOut
The CacheOut steals the data from the CPU's L1 cache, and it is doing it selectively. Instead of waiting for the data to become available, the exploit can choose which data it wants to leak. The "benefit" of this exploit is that it can violate almost every hardware-based security domain meaning that the kernel, co-resident VMs, and SGX (Software Guard Extensions) enclaves are in trouble. To mitigate this issue, Intel provided a microcode update to address the shortcomings of the architecture and they recommended possible mitigations to all OS providers, so you will be protected once your OS maker releases a new update. For a full list of processors affected, you can see this list. Additionally, it is worth pointing out that AMD CPUs are not affected by this exploit.
77 Comments on CacheOut is the Latest Speculative Execution Attack for Intel Processors
This will effect any Intel CPU Skylake/Cascade Lake onward. Broadwell and earlier are safe.
Additionally, the following specifically states that physical admin access(authenticated local access) is required;
blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/
An attack to exploit this vulnerability can not be rendered remotely, IE through a network share or web browser.
Do we have any idea what microcode addresses this on say, 9900k? Looking into this now, I guess.
EDIT: blog says it all. The microcode isn't done yet. The article is misleading.
Come on Intel, you can do better.
We would like to thank Intel for working with us during the responsible disclosure.
This research was supported by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory (AFRL) under contract FA8750-19-C0531, by an Australian Research Council Discovery Early Career Researcher Award (project number DE200101577), and by generous gifts from Intel and AMD.
The way this is worded doesn't seem like it is a paid bug bounty (because then why does it say Intel and AMD, if AMD CPUs are not affected?), but rather some sort of a research grant to push the boundaries of security.
This shows AMD and Intel are taking this research seriously to improve security.
The more interesting part of it is that Intel actually still keeps selling leaky architecture to us, I mean Cascade Lake isn't exactly ancient. Gotta keep that money rollin' ey
But... they're taking it seriously :roll::roll::roll: Business as usual and made a record year... guess what. The memo we gave them since those leaks is that we also really don't give a shit and buy Intel regardless. We're helpless really.
Which I wouldn't care about at all, but every one of them brings a microcode and/or windows patch which more often than not decreases performance. Half percent here, half percent there, add everything up and suddenly my CPU is no longer performing at 100%. And I paid good money for a 100% performing CPU.
- They do seem to mount an attack from unprivileged users.
- HT helps the attack but it works without HT as well.
- They recommend turning off TSX as that is effective against CacheOut.
Edit:
OK, it seems that TAA is an integral step in CacheOut, so they are attacking a different target but still using TAA to get the data out. Makes sense that disabling TSX would work against this.
The overwhelming majority of these dont really affect most home users in the first place (and then most are elevated access, no?). I guess some would call it perspective...
Nice crack at flamebait, though...
EDIT: Meanwhile, I will continue to patch and be 'safer' all the while not noticing (outside of benchmarks) the few % this is slower in some tasks.
I own both Intel and AMD platforms. I take no solace in the notion that AMD is somehow inherently more secure. The Intel architecture has been around longer and has been prevalent. So the cracks are showing. In due time we may start to see more of the same with AMD.
I mean I hope not but you never know,....