Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Researchers Revive ‘Foreshadow’ Attack by Extending It Beyond L1 Cache

Researchers revealed late on Thursday that the mitigations and patches rolled out in 2018 for the Foreshadow vulnerabilities affecting Intel processors can fail to prevent attacks.

Researchers revealed late on Thursday that the mitigations and patches rolled out in 2018 for the Foreshadow vulnerabilities affecting Intel processors can fail to prevent attacks.

Foreshadow, also known as L1 Terminal Fault (L1TF), is the name assigned to three speculative execution flaws reported to Intel shortly after the disclosure in January 2018 of the notorious Meltdown and Spectre vulnerabilities.

Foreshadow is related to the exposure of the L1 data cache of an Intel processor to malicious processes. A malicious application installed on a system can exploit the vulnerabilities to obtain potentially sensitive data from the L1 data cache.

Intel and other companies whose products and infrastructure were affected by Foreshadow prepared patches and mitigations before disclosure. Foreshadow revived

However, a team of researchers from the Graz University of Technology in Austria and the CISPA Helmholtz Center for Information Security have revived the Foreshadow attack and made some other interesting discoveries.

The researchers told SecurityWeek that they have been working on this project since 2018 and impacted vendors were notified more than a year ago. They published a research paper describing their findings on Thursday.

Specifically, they discovered that the Foreshadow attack can be extended beyond the L1 cache, which previously was believed to be impossible, and attacks can still work despite the existing mitigations. They showed that Foreshadow attacks can also target data in the L3 cache.

The researchers found that the assumptions made regarding countermeasures described in several academic papers over the past four years were incorrect. This has allowed them to revive Foreshadow and demonstrate that attacks can still be launched on older kernels patched against Foreshadow and with all mitigations enabled. On more recent kernels, the attack still works if the mitigations for the apparently unrelated Spectre Variant 2 vulnerability are disabled (i.e. nospectre_v2 passed as a boot flag).

“[The attack] works on older kernels regardless of the nospectre_v2 flag — that is until recently (I think kernel 5.4 is the first where we’ve seen Foreshadow-L3 stopping to work) it did not matter whether or not Spectre mitigations were enabled and/or Foreshadow mitigations were enabled, Foreshadow-L3 still works on these kernel versions,” Daniel Gruss, one of the researchers involved in this project, told SecurityWeek.

Intel does not plan on releasing additional mitigations for the Foreshadow attack. The company advises customers to ensure that the Spectre Variant 2 mitigations are enabled to prevent attacks.

The research paper also describes a browser-based attack that can be used to break the address space location randomization (ASLR) and kernel ASLR (KASLR) protections, which can be useful in an attack that requires exact address knowledge.

The researchers also identified a new way to exploit speculative dereferences, which enable direct data leakage via a Spectre attack. This attack also works against devices with AMD, ARM and IBM processors, and all of the impacted vendors have been notified.

Related: Many Siemens Products Affected by Foreshadow Vulnerabilities

Related: Microsoft Releases Intel Microcode Patches for Foreshadow Flaws

Related: Foreshadow/L1TF: What You Need to Know

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.