The details of three new speculative execution vulnerabilities affecting Intel Xeon and Core processors were disclosed on Tuesday. The flaws have been dubbed Foreshadow and L1 Terminal Fault (L1TF), and patches and mitigations are already available.
The security holes were discovered independently by two teams of researchers. A team from KU Leuven, a university in Belgium, informed Intel of its findings on January 3, the day when the notorious Spectre and Meltdown vulnerabilities were disclosed to the public. The second team, comprising researchers from Israel-based Technion, University of Michigan, the University of Adelaide in Australia, and Australia-based CSIRO’s Data61, reported its findings to Intel on January 23.
The Foreshadow/L1TF vulnerabilities are CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).
Researchers first discovered the vulnerability affecting SGX, a feature in Intel processors designed to protect user data even if an attacker takes control of the entire system. SGX was believed to be resilient to speculative execution attacks, but experts have now demonstrated that an attacker can read memory protected by SGX.
“Making things worse, due to SGX’s privacy features, an attestation report cannot be linked to the identity of its signer. Thus, it only takes a single compromised SGX machine to erode trust in the entire SGX ecosystem,” researchers explained on a website set up for the Foreshadow vulnerabilities.
During its investigation into the cause of Foreshadow, Intel discovered the two other flaws, which are tracked as Foreshadow-Next Generation (NG). Foreshadow-NG attacks can allow malicious actors to read information from the L1 cache, including information associated with the SMM, the operating system’s kernel, and hypervisors.
“Perhaps most devastating, Foreshadow-NG might also be used to read information stored in other virtual machines running on the same third-party cloud, presenting a risk to cloud infrastructure,” researchers said. “Finally, in some cases, Foreshadow-NG might bypass previous mitigations against speculative execution attacks, including countermeasures to Meltdown and Spectre.”
According to Intel, a malicious application installed on the targeted system can deduce data values from the operating system or other apps. Exploitation of the flaws can also allow a malicious guest VM to obtain data in the memory of the virtual machine manager (VMM) or other guest VMs.
Intel also says that the Foreshadow vulnerabilities allow malicious software to obtain data from the SMM memory. Finally, malware running outside or within an SGX enclave may be able to access data from another SGX enclave.
Intel and other tech giants have released updates and mitigations which, in combination with the patches released previously for speculative execution vulnerabilities (e.g. Meltdown and Spectre), should prevent attacks. Intel claims it has not seen any significant performance impact introduced by the available mitigations on PCs and many data center workloads.
There is no evidence of malicious attacks exploiting these vulnerabilities.
Companies respond to Foreshadow
Microsoft has published both a security advisory describing the flaws and a blog post containing technical details. The company says it has released several updates that should mitigate Foreshadow on both consumer devices and on its Azure cloud services.
Google also says it has deployed mitigations to its infrastructure, including for the infrastructure that underpins its cloud services.
Amazon Web Services (AWS) told customers that its infrastructure includes protections for these types of attacks, and additional security mechanisms have been deployed for L1TF. “All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level,” AWS said.
Oracle has also published a blog post describing which of its products are impacted and which are not, and provided instructions on how attacks can be mitigated.
VMware has published separate advisories for CVE-2018-3646 and CVE-2018-3620. The former affects VMware vSphere, Workstation, and Fusion, and the company says it has released updates that patch the issue. The latter impacts vCloud Usage Meter (UM), Identity Manager (vIDM), vCenter Server (vCSA), vSphere Data Protection (VDP), vSphere Integrated Containers (VIC) and vRealize Automation (vRA). Patches are pending for this vulnerability, but virtual appliance mitigations are available.
Cisco is also working on patches for the vulnerabilities. The networking giant says that while its products are not directly affected, they could still be targeted if the hosting environment is vulnerable.
“Cisco recommends that customers harden their virtual environments, tightly control user access, and ensure that all security updates are installed. Customers who are deploying products as a virtual device in multi-tenant hosting environments should ensure that the underlying hardware, as well as the operating system or hypervisor, is patched against the vulnerabilities in question,” the company said.
The Xen Project revealed that systems running any version of Xen are impacted.
“New microcode, and possibly a new firmware image is required to prevent SMM data from being leaked with this vulnerability,” Xen developers explained
. “Software updates to Xen (details below) are required to prevent guests from being able to leak data belonging to Xen or to other guests in the system.”
Red Hat has published both technical and high level materials describing the Foreshadow flaws. The company is working on updates that should make it easier for its users to implement mitigations.
The list of Linux distributions that have also published advisories includes Suse, Debian, Gentoo and Ubuntu.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
