Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Researchers Revive ‘Foreshadow’ Attack by Extending It Beyond L1 Cache

Researchers revealed late on Thursday that the mitigations and patches rolled out in 2018 for the Foreshadow vulnerabilities affecting Intel processors can fail to prevent attacks.

Researchers revealed late on Thursday that the mitigations and patches rolled out in 2018 for the Foreshadow vulnerabilities affecting Intel processors can fail to prevent attacks.

Foreshadow, also known as L1 Terminal Fault (L1TF), is the name assigned to three speculative execution flaws reported to Intel shortly after the disclosure in January 2018 of the notorious Meltdown and Spectre vulnerabilities.

Foreshadow is related to the exposure of the L1 data cache of an Intel processor to malicious processes. A malicious application installed on a system can exploit the vulnerabilities to obtain potentially sensitive data from the L1 data cache.

Intel and other companies whose products and infrastructure were affected by Foreshadow prepared patches and mitigations before disclosure. Foreshadow revived

However, a team of researchers from the Graz University of Technology in Austria and the CISPA Helmholtz Center for Information Security have revived the Foreshadow attack and made some other interesting discoveries.

The researchers told SecurityWeek that they have been working on this project since 2018 and impacted vendors were notified more than a year ago. They published a research paper describing their findings on Thursday.

Specifically, they discovered that the Foreshadow attack can be extended beyond the L1 cache, which previously was believed to be impossible, and attacks can still work despite the existing mitigations. They showed that Foreshadow attacks can also target data in the L3 cache.

The researchers found that the assumptions made regarding countermeasures described in several academic papers over the past four years were incorrect. This has allowed them to revive Foreshadow and demonstrate that attacks can still be launched on older kernels patched against Foreshadow and with all mitigations enabled. On more recent kernels, the attack still works if the mitigations for the apparently unrelated Spectre Variant 2 vulnerability are disabled (i.e. nospectre_v2 passed as a boot flag).

“[The attack] works on older kernels regardless of the nospectre_v2 flag — that is until recently (I think kernel 5.4 is the first where we’ve seen Foreshadow-L3 stopping to work) it did not matter whether or not Spectre mitigations were enabled and/or Foreshadow mitigations were enabled, Foreshadow-L3 still works on these kernel versions,” Daniel Gruss, one of the researchers involved in this project, told SecurityWeek.

Intel does not plan on releasing additional mitigations for the Foreshadow attack. The company advises customers to ensure that the Spectre Variant 2 mitigations are enabled to prevent attacks.

The research paper also describes a browser-based attack that can be used to break the address space location randomization (ASLR) and kernel ASLR (KASLR) protections, which can be useful in an attack that requires exact address knowledge.

The researchers also identified a new way to exploit speculative dereferences, which enable direct data leakage via a Spectre attack. This attack also works against devices with AMD, ARM and IBM processors, and all of the impacted vendors have been notified.

Related: Many Siemens Products Affected by Foreshadow Vulnerabilities

Related: Microsoft Releases Intel Microcode Patches for Foreshadow Flaws

Related: Foreshadow/L1TF: What You Need to Know

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.