Security Experts:

Connect with us

Hi, what are you looking for?



Foreshadow: New Speculative Execution Flaws Found in Intel CPUs

Researchers and several major tech companies on Tuesday disclosed the details of three new speculative execution side-channel vulnerabilities affecting Intel processors.

Researchers and several major tech companies on Tuesday disclosed the details of three new speculative execution side-channel vulnerabilities affecting Intel processors.

The flaws, tracked as Foreshadow and L1 Terminal Fault (L1TF), were discovered independently by two research teams, who reported their findings to Intel in January, shortly after the existence of the notorious Spectre and Meltdown vulnerabilities was made public.

There are three Foreshadow vulnerabilities: CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).Foreshadow: New speculative execution vulnerability in Intel processors

“Each variety of L1TF could potentially allow unauthorized disclosure of information residing in the L1 data cache, a small pool of memory within each processor core designed to store information about what the processor core is most likely to do next,” Intel said.

Researchers initially discovered the SGX vulnerability and Intel identified the two other issues while analyzing the cause of Foreshadow.

“While it was previously believed that SGX is resilient to speculative execution attacks (such as Meltdown and Spectre), Foreshadow demonstrates how speculative execution can be exploited for reading the contents of SGX-protected memory as well as extracting the machine’s private attestation key. Making things worse, due to SGX’s privacy features, an attestation report cannot be linked to the identity of its signer. Thus, it only takes a single compromised SGX machine to erode trust in the entire SGX ecosystem,” researchers said.

“[Foreshadow-NG] attacks can potentially be used to read any information residing in the L1 cache, including information belonging to the System Management Mode (SMM), the Operating System’s Kernel, or Hypervisor. Perhaps most devastating, Foreshadow-NG might also be used to read information stored in other virtual machines running on the same third-party cloud, presenting a risk to cloud infrastructure. Finally, in some cases, Foreshadow-NG might bypass previous mitigations against speculative execution attacks, including countermeasures to Meltdown and Spectre,” they explained.

The security holes impact Intel’s Core and Xeon processors. According to the company, the patches released for these vulnerabilities don’t have a significant impact on performance, either on PC clients or data center workloads.

There is no indication that these vulnerabilities have been exploited for malicious purposes. Impacted tech companies have released patches and mitigations, which should prevent attacks when combined with the software and microcode updates released in response to Meltdown and Spectre.

AMD says its products are not impacted by Foreshadow or Foreshadow-NG due to the company’s “hardware paging architecture protections.”

“We are advising customers running AMD EPYC™ processors in their data centers, including in virtualized environments, to not implement Foreshadow-related software mitigations for their AMD platforms,” AMD told SecurityWeek in an emailed statement.

Advisories and blog posts containing technical details on Foreshadow have been published by Microsoft, Cisco, Oracle, VMware, Linux kernel developers, the Xen Project, Red Hat, SUSE and others. The researchers who discovered Foreshadow have also set up a dedicated website where users can get more information.

Videos describing the vulnerabilities are available from the researchers who found Foreshadow and Red Hat:

Related: Tech Firms Coordinate Disclosure of New Meltdown, Spectre Flaws

Related: Oracle Patches New Spectre, Meltdown Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.