Connect with us

Hi, what are you looking for?



CacheOut/L1DES: New Speculative Execution Attack Affecting Intel CPUs

Intel on Monday informed customers that researchers have identified yet another speculative execution attack method that can be launched against systems that use its processors.

Intel on Monday informed customers that researchers have identified yet another speculative execution attack method that can be launched against systems that use its processors.

The disclosure of the Meltdown and Spectre vulnerabilities back in January 2018 paved the way for the discovery of several speculative execution side-channel attack methods impacting modern processors. While some attacks have impacted CPUs from other vendors as well, Intel chips seem to be the most affected.

In May 2019, researchers disclosed the existence of new attack methods that rely on Microarchitectural Data Sampling (MDS) vulnerabilities. These attacks, dubbed ZombieLoad, RIDL and Fallout, can allow malicious applications to obtain potentially sensitive information from applications, the operating system, virtual machines and trusted execution environments. Exposed data can include passwords, website content, encryption keys and browser history.

When the MDS flaws were disclosed, researchers said they impacted Intel processors made in the past decade, except for some newer models. However, in November 2019, experts revealed a new method, dubbed ZombieLoad Variant 2, that also worked against processors containing hardware mitigations for MDS attacks, including Intel Xeon Gold and Core i9 processors.CacheOut vulnerability in Intel CPUs

Researchers have now disclosed yet another MDS attack, which has been dubbed CacheOut and L1D Eviction Sampling (L1DES). The underlying vulnerability was independently discovered by the VUSec group at VU Amsterdam and a team from the TU Graz and KU Leuven universities. A researcher from the University of Michigan was affiliated with VU Amsterdam at one point during the research and the University of Michigan has also published a separate research paper following an analysis conducted in collaboration with a researcher at the University of Adelaide in Australia.

According to researchers at the University of Michigan, which have dubbed the vulnerability CacheOut, this attack can bypass the hardware protections in many Intel CPUs and allows the attacker to select what data they want to leak rather than waiting for the data to be available.

Intel, which tracks the vulnerability as CVE-2020-0549 and assigned it a CVSS score of 6.5, refers to it as L1D Eviction Sampling, as it allows an attacker to read from the CPU’s L1 Data Cache.

The company says it’s working on microcode updates that should address the issue. In the meantime, researchers have proposed various measures that should prevent attacks, including disabling hyper-threading, flushing the L1 cache, and disabling the TSX feature.

Advertisement. Scroll to continue reading.

It’s worth noting that CacheOut/L1DES attacks require local access to the targeted system and attacks from a web browser are not possible.

University of Michigan researchers noted that some Intel processors released after the fourth quarter of 2018 may not be impacted as Intel inadvertently introduced some partial mitigations with the microcode updates designed to address ZombieLoad Variant 2.

Processors made by AMD are not impacted and the researchers said they have yet to determine if CacheOut attacks can be launched against chips from Arm and IBM.

VUSec researchers, who have described L1DES as a new variant of the RIDL attack, have also disclosed a second vulnerability, which they and Intel track as Vector Register Sampling (VRS). This flaw, Intel says, is less severe as the attack complexity is high and the chances of an attacker obtaining relevant data are low. VRS is also considered a new variant of the RIDL attack.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.