• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

CacheOut is the Latest Speculative Execution Attack for Intel Processors

AleksandarK

News Editor
Staff member
Joined
Aug 19, 2017
Messages
2,651 (0.99/day)
Another day, another speculative execution vulnerability found inside Intel processors. This time we are getting a new vulnerability called "CacheOut", named after the exploitation's ability to leak data stored inside CPU's cache memory. Dubbed CVE-2020-0549: "L1D Eviction Sampling (L1Des) Leakage" in the CVE identifier system, it is rated with a CVSS score of 6.5. Despite Intel patching a lot of similar exploits present on their CPUs, the CacheOut attack still managed to happen.

The CacheOut steals the data from the CPU's L1 cache, and it is doing it selectively. Instead of waiting for the data to become available, the exploit can choose which data it wants to leak. The "benefit" of this exploit is that it can violate almost every hardware-based security domain meaning that the kernel, co-resident VMs, and SGX (Software Guard Extensions) enclaves are in trouble. To mitigate this issue, Intel provided a microcode update to address the shortcomings of the architecture and they recommended possible mitigations to all OS providers, so you will be protected once your OS maker releases a new update. For a full list of processors affected, you can see this list. Additionally, it is worth pointing out that AMD CPUs are not affected by this exploit.


View at TechPowerUp Main Site
 
Joined
Jul 5, 2013
Messages
28,260 (6.75/day)
So the short summery;
This will effect any Intel CPU Skylake/Cascade Lake onward. Broadwell and earlier are safe.

Additionally, the following specifically states that physical admin access(authenticated local access) is required;
An attack to exploit this vulnerability can not be rendered remotely, IE through a network share or web browser.
 
Joined
Aug 20, 2007
Messages
21,541 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
So the short summery;
This will effect any Intel CPU Skylake/Cascade Lake onward. Broadwell and earlier are safe.

Additionally, the following specifically states that physical admin access(authenticated local access) is required;
An attack to exploit this vulnerability can not be rendered remotely, IE through a network share or web browser.

Yep. You'll need to execute local priviledged code for this one. It is possible it could be used in a priveledge escalation attack but I have yet to see an example of that.

Do we have any idea what microcode addresses this on say, 9900k? Looking into this now, I guess.

EDIT: blog says it all. The microcode isn't done yet. The article is misleading.
 

Space Lynx

Astronaut
Joined
Oct 17, 2014
Messages
17,425 (4.69/day)
Location
Kepler-186f
Processor 7800X3D -25 all core
Motherboard B650 Steel Legend
Cooling Frost Commander 140
Video Card(s) Merc 310 7900 XT @3100 core -.75v
Display(s) Agon 27" QD-OLED Glossy 240hz 1440p
Case NZXT H710 (Red/Black)
Audio Device(s) Asgard 2, Modi 3, HD58X
Power Supply Corsair RM850x Gold
Ryzen 4800x is still my upgrade path regardless. /shrug
 
Joined
Aug 20, 2007
Messages
21,541 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
Ryzen 4800x is still my upgrade path regardless. /shrug

AMD is my next upgrade too. I would've went Ryzen on this build but the 9900k is doing well enough for my needs and was quite the steal...
 
Joined
Apr 12, 2013
Messages
1,192 (0.28/day)
Processor 11700
Motherboard TUF z590
Memory G.Skill 32gb 3600mhz
Video Card(s) ROG Vega 56
Case Deepcool
Power Supply RM 850
These vulnerabilitys keep on coming is there no end.
 
Last edited:
Joined
Mar 18, 2008
Messages
5,444 (0.89/day)
Location
Australia
System Name Night Rider | Mini LAN PC | Workhorse
Processor AMD R7 5800X3D | Ryzen 1600X | i7 970
Motherboard MSi AM4 Pro Carbon | GA- | Gigabyte EX58-UD5
Cooling Noctua U9S Twin Fan| Stock Cooler, Copper Core)| Big shairkan B
Memory 2x8GB DDR4 G.Skill Ripjaws 3600MHz| 2x8GB Corsair 3000 | 6x2GB DDR3 1300 Corsair
Video Card(s) MSI AMD 6750XT | 6500XT | MSI RX 580 8GB
Storage 1TB WD Black NVME / 250GB SSD /2TB WD Black | 500GB SSD WD, 2x1TB, 1x750 | WD 500 SSD/Seagate 320
Display(s) LG 27" 1440P| Samsung 20" S20C300L/DELL 15" | 22" DELL/19"DELL
Case LIAN LI PC-18 | Mini ATX Case (custom) | Atrix C4 9001
Audio Device(s) Onboard | Onbaord | Onboard
Power Supply Silverstone 850 | Silverstone Mini 450W | Corsair CX-750
Mouse Coolermaster Pro | Rapoo V900 | Gigabyte 6850X
Keyboard MAX Keyboard Nighthawk X8 | Creative Fatal1ty eluminx | Some POS Logitech
Software Windows 10 Pro 64 | Windows 10 Pro 64 | Windows 7 Pro 64/Windows 10 Home
tenor.gif
 
Joined
Feb 23, 2019
Messages
6,106 (2.87/day)
Location
Poland
Processor Ryzen 7 5800X3D
Motherboard Gigabyte X570 Aorus Elite
Cooling Thermalright Phantom Spirit 120 SE
Memory 2x16 GB Crucial Ballistix 3600 CL16 Rev E @ 3600 CL14
Video Card(s) RTX3080 Ti FE
Storage SX8200 Pro 1 TB, Plextor M6Pro 256 GB, WD Blue 2TB
Display(s) LG 34GN850P-B
Case SilverStone Primera PM01 RGB
Audio Device(s) SoundBlaster G6 | Fidelio X2 | Sennheiser 6XX
Power Supply SeaSonic Focus Plus Gold 750W
Mouse Endgame Gear XM1R
Keyboard Wooting Two HE
Joined
Sep 24, 2008
Messages
2,697 (0.45/day)
System Name Dire Wolf IV
Processor Intel Core i9 14900K
Motherboard Asus ROG STRIX Z790-I GAMING WIFI
Cooling Arctic Liquid Freezer II 280 w/Thermalright Contact Frame
Memory 2x24GB Corsair DDR5 6667
Video Card(s) NVIDIA RTX4080 FE
Storage AORUS Gen4 7300 1TB + Western Digital SN750 500GB
Display(s) Alienware AW3423DWF (QD-OLED, 3440x1440, 165hz)
Case Corsair Airflow 2000D
Power Supply Corsair SF1000L
Mouse Razer Deathadder Essential
Keyboard Chuangquan CQ84
Software Windows 11 Professional
Something interesting to note from the disclosure paper. Intel and AMD have literally paid them to find this:
We would like to thank Intel for working with us during the responsible disclosure.
This research was supported by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory (AFRL) under contract FA8750-19-C0531, by an Australian Research Council Discovery Early Career Researcher Award (project number DE200101577), and by generous gifts from Intel and AMD.


The way this is worded doesn't seem like it is a paid bug bounty (because then why does it say Intel and AMD, if AMD CPUs are not affected?), but rather some sort of a research grant to push the boundaries of security.

This shows AMD and Intel are taking this research seriously to improve security.
 
Joined
Sep 17, 2014
Messages
22,673 (6.05/day)
Location
The Washing Machine
System Name Tiny the White Yeti
Processor 7800X3D
Motherboard MSI MAG Mortar b650m wifi
Cooling CPU: Thermalright Peerless Assassin / Case: Phanteks T30-120 x3
Memory 32GB Corsair Vengeance 30CL6000
Video Card(s) ASRock RX7900XT Phantom Gaming
Storage Lexar NM790 4TB + Samsung 850 EVO 1TB + Samsung 980 1TB + Crucial BX100 250GB
Display(s) Gigabyte G34QWC (3440x1440)
Case Lian Li A3 mATX White
Audio Device(s) Harman Kardon AVR137 + 2.1
Power Supply EVGA Supernova G2 750W
Mouse Steelseries Aerox 5
Keyboard Lenovo Thinkpad Trackpoint II
VR HMD HD 420 - Green Edition ;)
Software W11 IoT Enterprise LTSC
Benchmark Scores Over 9000
No amount of patchwork will completely fix these leaks. They exist on such a basic level there will probably always be some way to get past any sort of bandaid fix. Intel said as much when the first leaks came out, too. Let's be realistic about it :)

The more interesting part of it is that Intel actually still keeps selling leaky architecture to us, I mean Cascade Lake isn't exactly ancient. Gotta keep that money rollin' ey

But... they're taking it seriously :roll::roll::roll: Business as usual and made a record year... guess what. The memo we gave them since those leaks is that we also really don't give a shit and buy Intel regardless. We're helpless really.
 
Joined
Nov 3, 2013
Messages
2,141 (0.53/day)
Location
Serbia
Processor Ryzen 5600
Motherboard X570 I Aorus Pro
Cooling Deepcool AG400
Memory HyperX Fury 2 x 8GB 3200 CL16
Video Card(s) RX 6700 10GB SWFT 309
Storage SX8200 Pro 512 / NV2 512
Display(s) 24G2U
Case NR200P
Power Supply Ion SFX 650
Mouse G703 (TTC Gold 60M)
Keyboard Keychron V1 (Akko Matcha Green) / Apex m500 (Gateron milky yellow)
Software W10
This is kinda getting ridiculous at this point. It's like the 20th vulnerability they've had in 2 years or so...

Which I wouldn't care about at all, but every one of them brings a microcode and/or windows patch which more often than not decreases performance. Half percent here, half percent there, add everything up and suddenly my CPU is no longer performing at 100%. And I paid good money for a 100% performing CPU.
 
Joined
Feb 3, 2017
Messages
3,822 (1.33/day)
Processor Ryzen 7800X3D
Motherboard ROG STRIX B650E-F GAMING WIFI
Memory 2x16GB G.Skill Flare X5 DDR5-6000 CL36 (F5-6000J3636F16GX2-FX5)
Video Card(s) INNO3D GeForce RTX™ 4070 Ti SUPER TWIN X2
Storage 2TB Samsung 980 PRO, 4TB WD Black SN850X
Display(s) 42" LG C2 OLED, 27" ASUS PG279Q
Case Thermaltake Core P5
Power Supply Fractal Design Ion+ Platinum 760W
Mouse Corsair Dark Core RGB Pro SE
Keyboard Corsair K100 RGB
VR HMD HTC Vive Cosmos
So the short summery;
This will effect any Intel CPU Skylake/Cascade Lake onward. Broadwell and earlier are safe.

Additionally, the following specifically states that physical admin access(authenticated local access) is required;
An attack to exploit this vulnerability can not be rendered remotely, IE through a network share or web browser.
Still reading the paper but:
- They do seem to mount an attack from unprivileged users.
- HT helps the attack but it works without HT as well.
- They recommend turning off TSX as that is effective against CacheOut.

Edit:
OK, it seems that TAA is an integral step in CacheOut, so they are attacking a different target but still using TAA to get the data out. Makes sense that disabling TSX would work against this.
 
Last edited:
Joined
Feb 23, 2019
Messages
6,106 (2.87/day)
Location
Poland
Processor Ryzen 7 5800X3D
Motherboard Gigabyte X570 Aorus Elite
Cooling Thermalright Phantom Spirit 120 SE
Memory 2x16 GB Crucial Ballistix 3600 CL16 Rev E @ 3600 CL14
Video Card(s) RTX3080 Ti FE
Storage SX8200 Pro 1 TB, Plextor M6Pro 256 GB, WD Blue 2TB
Display(s) LG 34GN850P-B
Case SilverStone Primera PM01 RGB
Audio Device(s) SoundBlaster G6 | Fidelio X2 | Sennheiser 6XX
Power Supply SeaSonic Focus Plus Gold 750W
Mouse Endgame Gear XM1R
Keyboard Wooting Two HE
Something interesting to note from the disclosure paper. Intel and AMD have literally paid them to find this:
We would like to thank Intel for working with us during the responsible disclosure.
This research was supported by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory (AFRL) under contract FA8750-19-C0531, by an Australian Research Council Discovery Early Career Researcher Award (project number DE200101577), and by generous gifts from Intel and AMD.


The way this is worded doesn't seem like it is a paid bug bounty (because then why does it say Intel and AMD, if AMD CPUs are not affected?), but rather some sort of a research grant to push the boundaries of security.

This shows AMD and Intel are taking this research seriously to improve security.
Darpa and air force funding also might indicate potential use for intelligence application.
 
Joined
Aug 14, 2012
Messages
225 (0.05/day)
System Name "Big E"
Processor I5 2400
Motherboard Intel DQ67OW
Cooling Scythe Samurai ZZ
Memory 4 X 2 Gb Kingmax 1333
Video Card(s) MSI RX470 gaming x 4gb
Storage samsung F3 500 GB
Display(s) Acer S271HLBbid
Case "Big E"
Power Supply Gembird 450 W
Mouse Generic
Keyboard Generic
Software W10 LTSC
Benchmark Scores Nothing worthy to mention
Another month , another Intel CPU hardware vulnerability.:nutkick:
 
Joined
Nov 21, 2010
Messages
2,355 (0.46/day)
Location
Right where I want to be
System Name Miami
Processor Ryzen 3800X
Motherboard Asus Crosshair VII Formula
Cooling Ek Velocity/ 2x 280mm Radiators/ Alphacool fullcover
Memory F4-3600C16Q-32GTZNC
Video Card(s) XFX 6900 XT Speedster 0
Storage 1TB WD M.2 SSD/ 2TB WD SN750/ 4TB WD Black HDD
Display(s) DELL AW3420DW / HP ZR24w
Case Lian Li O11 Dynamic XL
Audio Device(s) EVGA Nu Audio
Power Supply Seasonic Prime Gold 1000W+750W
Mouse Corsair Scimitar/Glorious Model O-
Keyboard Corsair K95 Platinum
Software Windows 10 Pro
Man, I wonder how Intel fanbois are holding up being unable to remark about bug ridden AMD CPUs are .
 
Joined
Dec 3, 2014
Messages
348 (0.09/day)
Location
Marabá - Pará - Brazil
System Name KarymidoN TitaN
Processor AMD Ryzen 7 5700X
Motherboard ASUS TUF X570
Cooling Custom Watercooling Loop
Memory 2x Kingston FURY RGB 16gb @ 3200mhz 18-20-20-39
Video Card(s) MSI GTX 1070 GAMING X 8GB
Storage Kingston NV2 1TB| 4TB HDD
Display(s) 4X 1080P LG Monitors
Case Aigo Darkflash DLX 4000 MESH
Power Supply Corsair TX 600
Mouse Logitech G300S
Man, I wonder how Intel fanbois are holding up being unable to remark about bug ridden AMD CPUs are .

Denial and "We have better FPS and higher clocks"
 
Joined
Sep 17, 2014
Messages
22,673 (6.05/day)
Location
The Washing Machine
System Name Tiny the White Yeti
Processor 7800X3D
Motherboard MSI MAG Mortar b650m wifi
Cooling CPU: Thermalright Peerless Assassin / Case: Phanteks T30-120 x3
Memory 32GB Corsair Vengeance 30CL6000
Video Card(s) ASRock RX7900XT Phantom Gaming
Storage Lexar NM790 4TB + Samsung 850 EVO 1TB + Samsung 980 1TB + Crucial BX100 250GB
Display(s) Gigabyte G34QWC (3440x1440)
Case Lian Li A3 mATX White
Audio Device(s) Harman Kardon AVR137 + 2.1
Power Supply EVGA Supernova G2 750W
Mouse Steelseries Aerox 5
Keyboard Lenovo Thinkpad Trackpoint II
VR HMD HD 420 - Green Edition ;)
Software W11 IoT Enterprise LTSC
Benchmark Scores Over 9000
Man, I wonder how Intel fanbois are holding up being unable to remark about bug ridden AMD CPUs are .

Do those even exist in 2020?
 
Joined
Dec 31, 2009
Messages
19,371 (3.54/day)
Benchmark Scores Faster than yours... I'd bet on it. :)
Man, I wonder how Intel fanbois are holding up being unable to remark about bug ridden AMD CPUs are .
Cant say I'm a fanboy but owning an Intel ID(ont)GAF.

The overwhelming majority of these dont really affect most home users in the first place (and then most are elevated access, no?). I guess some would call it perspective...

Nice crack at flamebait, though...
 
Last edited:

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
47,298 (7.53/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
Cant say I'm a fanboy but owning an Intel ID(ont)GAF.

The overwhelming majority of these dont really affect most home users in the first place (and then most are elevated access, no?). I guess some would call it perspective...

Nice crack at flamebait, though...

I guess the problem people have with new CVE discoveries is not that their Intel-powered PC is less safe. It's that the subsequent mitigation shoved down their throats by MS or Intel will inevitably chip away at performance.
 
Joined
Dec 31, 2009
Messages
19,371 (3.54/day)
Benchmark Scores Faster than yours... I'd bet on it. :)
I guess the problem people have is not that their Intel-powered PC is less safe. It's that the mitigation shoved down their throats by MS or Intel will inevitably chip away at performance.
Indeed and agreed...my issue is more at the flamebait than anything (but is seems that is OK?). ;)

EDIT: Meanwhile, I will continue to patch and be 'safer' all the while not noticing (outside of benchmarks) the few % this is slower in some tasks.
 
Last edited:
Joined
Jul 5, 2013
Messages
28,260 (6.75/day)
Come on Intel, you can do better.
There is no one to blame. Like all of the vulnerabilities found in CPU's in the past few years, Intel created a CPU function that was intended to be of benefit. They had no expectation or foresight that it would be used in such a way.

- They do seem to mount an attack from unprivileged users.
That is incorrect.
 
Joined
Feb 3, 2017
Messages
3,822 (1.33/day)
Processor Ryzen 7800X3D
Motherboard ROG STRIX B650E-F GAMING WIFI
Memory 2x16GB G.Skill Flare X5 DDR5-6000 CL36 (F5-6000J3636F16GX2-FX5)
Video Card(s) INNO3D GeForce RTX™ 4070 Ti SUPER TWIN X2
Storage 2TB Samsung 980 PRO, 4TB WD Black SN850X
Display(s) 42" LG C2 OLED, 27" ASUS PG279Q
Case Thermaltake Core P5
Power Supply Fractal Design Ion+ Platinum 760W
Mouse Corsair Dark Core RGB Pro SE
Keyboard Corsair K100 RGB
VR HMD HTC Vive Cosmos
Seems like this issue should be negated by turning off TSX, which is barely used even in servers much less on desktop. The problem is that for turning that off, the option to do that needs to be exposed and it isn't. Firmware fixes for TAA should include a way to turn that off and be done with.

That is incorrect.
From introductory parts:
https://cacheoutattack.com/CacheOut.pdf said:
Beyond proof-of-concept ex-ploits, we also demonstrate highly practical attacks against theLinux kernel, all mounted from unprivileged user processes
Description of what they refer to seems to be 5. Cross Process Attacks (on page 9).
 
Last edited:
Joined
Apr 24, 2008
Messages
2,025 (0.33/day)
Processor RyZen R9 3950X
Motherboard ASRock X570 Taichi
Cooling Coolermaster Master Liquid ML240L RGB
Memory 64GB DDR4 3200 (4x16GB)
Video Card(s) RTX 3050
Storage Samsung 2TB SSD
Display(s) Asus VE276Q, VE278Q and VK278Q triple 27” 1920x1080
Case Zulman MS800
Audio Device(s) On Board
Power Supply Seasonic 650W
VR HMD Oculus Rift, Oculus Quest V1, Oculus Quest 2
Software Windows 11 64bit
They are really getting creative with these exploit names, “CacheOut”.

I own both Intel and AMD platforms. I take no solace in the notion that AMD is somehow inherently more secure. The Intel architecture has been around longer and has been prevalent. So the cracks are showing. In due time we may start to see more of the same with AMD.

I mean I hope not but you never know,....
 
Top