Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

CrossTalk: First Speculative Execution Attack Allowing Data Leaks Across Intel CPU Cores

Researchers have disclosed the details of a new speculative execution attack affecting many Intel processors, and they say this is the first vulnerability of this kind that allows hackers to obtain sensitive information across the cores of a CPU.

Researchers have disclosed the details of a new speculative execution attack affecting many Intel processors, and they say this is the first vulnerability of this kind that allows hackers to obtain sensitive information across the cores of a CPU.

The vulnerability was discovered by a team of researchers from Vrije Universiteit Amsterdam in the Netherlands and ETH Zurich in Switzerland. They initially reported their findings to Intel in September 2018 and nearly one year later they informed the tech giant about the possibility of cross-core leaks.

The vulnerability, dubbed CrossTalk by the researchers and special register buffer data sampling (SRBDS) by Intel, is related to the Microarchitectural Data Sampling (MDS) flaws disclosed last year.

The security hole, tracked as CVE-2020-0543, allows an authenticated attacker with local access to the targeted system (i.e. a malicious app) to obtain information from an application running on a different CPU core than the one running the attacker’s code. Such attacks could allow an attacker to obtain passwords, encryption keys and other potentially sensitive information. Exploitation works even against apps running in Intel SGX enclaves, which should protect data against attacks.

“With CrossTalk, we discovered that various instructions perform offcore requests to read data from a staging buffer shared between all the CPU cores. We observed that the staging buffer contains sensitive data, including the output of the hardware digital random number generator (DRNG), and that such data can be leaked across cores using RIDL (aka MDS) attacks,” the researchers explained.

Intel, which classified the issue as medium severity (CVSS score of 6.5), has released microcode updates that should patch the vulnerability for supported processors. The researchers said it took Intel a fairly long time to release patches due to “the difficulty of implementing a fix for the cross-core vulnerabilities identified in this paper.”

The developers of various Linux distributions have also released advisories and patches, including Red Hat, Debian, Ubuntu and Oracle Linux. The Xen virtualization project and hardware manufacturer Gigabyte have also released advisories.

According to Intel, CrossTalk affects over 50 mobile, desktop, server, workstation and embedded processors, including Core from 3rd Gen to 10th Gen, Core X-Series, Pentium, Celeron and Xeon E3 CPUs. The researchers said high-end server CPUs and the latest processors made by Intel do not appear to be impacted.

Advertisement. Scroll to continue reading.

Intel has published a “deep dive” article describing the SRBDS vulnerability. The researchers who found the flaw have published a technical paper, a video showing exploitation against SGX, and proof-of-concept (PoC) exploit code.

Related: CacheOut/L1DES: New Speculative Execution Attack Affecting Intel CPUs

Related: Vulnerability in Intel Chipsets Allows Hackers to Obtain Protected Data

Related: Intel Patched Over 230 Vulnerabilities in Its Products in 2019

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.