Intel on Monday informed customers that researchers have identified yet another speculative execution attack method that can be launched against systems that use its processors.
The disclosure of the Meltdown and Spectre vulnerabilities back in January 2018 paved the way for the discovery of several speculative execution side-channel attack methods impacting modern processors. While some attacks have impacted CPUs from other vendors as well, Intel chips seem to be the most affected.
In May 2019, researchers disclosed the existence of new attack methods that rely on Microarchitectural Data Sampling (MDS) vulnerabilities. These attacks, dubbed ZombieLoad, RIDL and Fallout, can allow malicious applications to obtain potentially sensitive information from applications, the operating system, virtual machines and trusted execution environments. Exposed data can include passwords, website content, encryption keys and browser history.
When the MDS flaws were disclosed, researchers said they impacted Intel processors made in the past decade, except for some newer models. However, in November 2019, experts revealed a new method, dubbed ZombieLoad Variant 2, that also worked against processors containing hardware mitigations for MDS attacks, including Intel Xeon Gold and Core i9 processors.
Researchers have now disclosed yet another MDS attack, which has been dubbed CacheOut and L1D Eviction Sampling (L1DES). The underlying vulnerability was independently discovered by the VUSec group at VU Amsterdam and a team from the TU Graz and KU Leuven universities. A researcher from the University of Michigan was affiliated with VU Amsterdam at one point during the research and the University of Michigan has also published a separate research paper following an analysis conducted in collaboration with a researcher at the University of Adelaide in Australia.
According to researchers at the University of Michigan, which have dubbed the vulnerability CacheOut, this attack can bypass the hardware protections in many Intel CPUs and allows the attacker to select what data they want to leak rather than waiting for the data to be available.
Intel, which tracks the vulnerability as CVE-2020-0549 and assigned it a CVSS score of 6.5, refers to it as L1D Eviction Sampling, as it allows an attacker to read from the CPU’s L1 Data Cache.
The company says it’s working on microcode updates that should address the issue. In the meantime, researchers have proposed various measures that should prevent attacks, including disabling hyper-threading, flushing the L1 cache, and disabling the TSX feature.
It’s worth noting that CacheOut/L1DES attacks require local access to the targeted system and attacks from a web browser are not possible.
University of Michigan researchers noted that some Intel processors released after the fourth quarter of 2018 may not be impacted as Intel inadvertently introduced some partial mitigations with the microcode updates designed to address ZombieLoad Variant 2.
Processors made by AMD are not impacted and the researchers said they have yet to determine if CacheOut attacks can be launched against chips from Arm and IBM.
VUSec researchers, who have described L1DES as a new variant of the RIDL attack, have also disclosed a second vulnerability, which they and Intel track as Vector Register Sampling (VRS). This flaw, Intel says, is less severe as the attack complexity is high and the chances of an attacker obtaining relevant data are low. VRS is also considered a new variant of the RIDL attack.

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- NIST Publishes Final Version of 800-82r3 OT Security Guide
- Johnson Controls Hit by Ransomware
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Government Shutdown Could Bench 80% of CISA Staff
- Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor
- macOS 14 Sonoma Patches 60 Vulnerabilities
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
- Microsoft Adding New Security Features to Windows 11
Latest News
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- A Key US Government Surveillance Tool Should Face New Limits, a Divided Privacy Oversight Board Says
- NIST Publishes Final Version of 800-82r3 OT Security Guide
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Johnson Controls Hit by Ransomware
- US State Department Says 60,000 Emails Taken in Alleged Chinese Hack
- Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product
