Researchers and several major tech companies this week disclosed the details of three new speculative execution side-channel vulnerabilities affecting Intel processors.
The flaws, tracked as Foreshadow and L1 Terminal Fault (L1TF), are CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).
A piece of malware installed on a system can exploit the flaws to gain access to potentially sensitive data stored in supposedly protected memory.
Industry professionals have commented on various aspects of Foreshadow/L1TF, including its impact on various types of systems, difficulty of exploitation, and performance issues introduced by mitigations.
And the feedback begins…
Tod Beardsley, research director, Rapid7:
“The L1TF / Foreshadow vulnerability announced today should be of particular interest to enterprises which run virtual computers in a shared hosting environments. Customers of this kind of cloud computing service should keep an eye out for communications from their hosting providers, which will tell them if they need to do anything special with their guest operating systems. In many cases, hosting providers already provide a reasonable mitigation by ensuring that virtual machines run by different customers are isolated from each other, and don’t intermingle different processes on the same CPU core.
So, while it’s likely that virtual machine users need to update their own guest operating systems, they should be rolling out security patches routinely anyway. If you’re a VM customer and haven’t yet heard anything from your provider, a call to their tech support is in order to make sure they’re aware of the issue, since the host operating systems need to be updated as well.
All that said, home users generally do not need to worry too much about these issues; all of these speculative execution bugs are pretty exotic, and unlikely to be used against individual end users anytime soon. Cryptojacking and ransom-based malware are still pretty effective mechanisms that criminals employ to extract money out of victims, so they don’t need to go to the trouble of setting up and executing a complicated attack using Foreshadow.”
Ken Spinner, VP of Field Engineering, Varonis:
“Cloud providers of virtual servers are more susceptible than on-premises networks in this instance because that’s the most likely place you’d have one physical server housing dozens of virtual machines run by different companies. If the vulnerability could be successfully exploited, attackers could hit the jackpot. However, a data centre could hold literally hundreds of thousands of servers and potentially millions of VMs. Hackers would be conducting an unfocused attack, rather than focusing on exploiting a target organisation. It would be a shot in the dark.
These vulnerabilities are the latest in a long line of exploits. While the approaches change, the goal often stays the same – to grab your company’s data. To complicate matters, most companies are dealing with hybrid data stores with some of their data on-premises and some in the cloud, which creates challenges and potential risk from a security and data governance standpoint. Never assume your data is safe in the cloud. If your cloud environment isn’t secure, your data won’t just be in danger of being exposed to your entire organisation – it could be accessible to hackers or even the world.”
Roi Panai, Senior Engineering Manager for Research at Mimecast and Director of Research at Solebit:
“The rising number of hardware vulnerabilities should concern us, the defenders, since these kind of exploits are much more difficult to patch and thus very difficult to be protected.
Following other Intel CPU vulnerabilities such as “Melt-Down”, Foreshadow proves that protecting an essential data (i.e. kernel space) with strong confidentiality and integrity security methods is not enough.
The attack exploits instructions execution cache methods designed for processing optimization in order to extract information from privileged locations using different methods (i.e. covert-channel). Together with “Foreshadow-NG” variations, these kind of attacks proved to be very effective against “isolated” sections by exposing cached physical memory data which is widely used by virtual entities for example, giving the attacker full information about running virtual machines which was considered to be unreachable before.
Some strong and important modules, such as optimization processes, may compromise other security methods leaving some holes for attackers to be exploited, thus proving that the trade-off between security and advanced processing might be dangerous.”
Heather Paunet, Vice President of Product Management, Untangle:
“Foreshadow allows hackers to read the enclave memory without penetrating the enclave from the outside. This essentially allows hackers to make a shadow copy of the data and place it in a different unprotected location, causing speculative execution to revert all data to the new unprotected location. While this new vulnerability can be critically damaging to a device, the researchers and Intel have worked together to release patches to fix the underlying issues.
While Foreshadow is threatening, exploiting those vulnerabilities in practice is very difficult. However, there are certain scenarios that may warrant immediate action and concern. Data centers and cloud providers with highly virtualized environments are particularly at risk. Administrators must be vigilant to ensure that all environments take advantage of the latest available patches on an ongoing basis. Intel is working with some of its partners to address this scenario which could impact performance and resource utilization.
One key takeaway from the Foreshadow announcement is that Intel is working with both the research community as well as the security community at large, expanding its bug bounty program. Industry partnerships with researchers and wider security community are critical. Closed-source companies are sometimes reluctant to embrace these partnerships when compared to open-source companies, so it’s a positive step overall to see more collaboration. Cybersecurity changes in real time, so vendors, researchers and the community must continue to work together to stay one step ahead of potential exploit vectors to head off future attacks.”
bhishek Iyer, Technical Marketing Manager, Demisto:
“There are a few menacing projections that we can draw from the Foreshadow vulnerability, and these projections are not new. Firstly, a base exploitation technique like L1TF can lead to many derivative attack methods, each affecting a separate user base in different ways. The variants of L1TF that have been discovered so far affect isolated systems, virtualized systems, and cloud-hosted systems on multi-tenant environments. While the microcode updates and OS patches supplied so far can stop these attacks, the likelihood of other attack derivatives that bypass these safeguards is real and present.
The other interesting pattern to note is how attackers piggyback on computing advancements and exploit the fact that there’s often a lag between performance improvements and corresponding security improvements. The Intel SGX brought an innovation to market – the Abort Page Semantics that allowed increased performance through speculative execution while thwarting Spectre and Meltdown attacks – but the Foreshadow (L1TF) attack explicitly misused that innovation and resulted in the minor performance hit that comes with microcodes and patches. This balance between improving performance and maintaining security is something that organizations will continue to explore gingerly with attackers waiting in the sidelines.”
Jeff Ready, CEO, Scale Computing:
“The design flaw in Intel chips has left Windows and Linux systems vulnerable. Any device or services connected to the chips is essentially left at risk – especially after the latest flaw that was revealed – Foreshadow. The main focus is working in real time to identify the issues and look at what needs to be patched. Performance impacts will be seen across the industry. Systems that utilize software defined storage via a mid-layer filesystem will likely experience the most impact. Many software-defined storage solutions, which use a mid-layer filesystem will likely have a much larger performance impact as a result of these fixes. After the patches and fixes roll out, we will be able to see the true extent of the impact.”
Setu Kulkarni, VP of corporate strategy, WhiteHat Security:
“Unlike application security vulnerabilities where the remediation/mitigation is increasingly ‘centralized’ with cloud-based, multi-tenant systems, the same cannot be said about chip vulnerabilities. It’s getting to be a zero-sum game, as infosecurity teams are dealing with an increasing variety of security issues… the more they protect, the more there is to protect. There is a revolution waiting to happen in the way security teams will respond to the increasing variety and volume of security challenges – and it’s going to be based in automation, data science and shifting from ‘what we need to protect’ to ‘who we need to protect.’
The universal backward compatibility for the internet may also be subject to future change. Just as old versions of TLS and SSL can never be secure again, Foreshadow’s use of speculative execution has the potential capacity to break down the barriers between virtual machines – which may also impact cloud service providers and eHosting. The demand for speed of web page loading may yet prove our undoing, and the web may see an adjustment of expectations in the name of security rather than expedience.”
Bill Conner, CEO, SonicWall:
“Once again, relentless researchers are demonstrating that cyber criminals can use the very architecture of processor chips to gain access to sensitive and often highly valued information. Like its predecessors Meltdown and Spectre, Foreshadow is attacking processor, memory and cache functions to extract sought after information. Once gained, side-channels can then be used to ‘pick locks’ within highly secured personal computers or even third-party clouds undetected.
This class of attack is something that will not dissipate. Instead, attackers will only seek to benefit from the plethora of malware strains available to them and which they can formulate like malware cocktails to divert outdated technologies, security standards and tactics.”