Summary:
Intel(R) Processors suffer from information disclosure vulnerability via Cache Evictions named as CacheOut Vulnerability. An issue was discovered in Intel processors due to Cleanup errors in some data cache evictions that allow an authenticated user to potentially enable information disclosure via local access.
This was assigned under CVE-2020-0549.
Description:
Recently, researchers have discovered vulnerability with threat level of “Medium” named CacheOut vulnerability affecting Intel CPUs that allows an attacker to target more specific data, even stored within Intel’s secured SGX enclave. CacheOut is another in the line of side-channel exploits that have targeted Intel processors that takes advantage of flaws in Intel’s architecture to attack data as it moves though various data buffers. The data is being evicted from the CPU L1 cache, it is often transferred back to the leaky CPU buffers where it can be recovered by the attacker.
According to researchers , it was discovered that the contents of these buffers can be dumped via assisting or faulting load instructions,bypassing the CPU’s address and permission checks. Using these techniques, an attacker can sample data as it transits through the internal buffers, without the need to match the address of the faulting or assisting load with the address of the data or even its address space. CacheOut can breach nearly every hardware-based security domain, can leak data from the OS kernel, co-resident virtual machines, and SGX enclaves. More details of the Vulnerability can be found here.
According to the reports as per CacheOut, “AMD processors are not affected by CacheOut vulnerability. Arm and IBM do have a feature similar to Intel TSX, but we are currently unaware of whether any of their products are affected. We are also unaware of any other attack vectors to exploit CacheOut.” No public poc has been released till now.
Affected Products:
Virtually all Intel processors are potentially affected by CacheOut. Intel(R) has listed a out a list of affected processors here.
Mitigation:
Van Schaik and the other researchers suggested that CacheOut could be mitigated by disabling hyperthreading or disabling TSX within Intel’s processors. Intel(R) has officialy released security advisory for the Vulnerability. Intel expects to release microcode updates for affected processors which will mitigate the L1D eviction sampling issue soon.
Qualys customers can use QID: 43113,115048,43566 to detect vulnerable assets. Please continue to follow on Qualys Threat Protection for more coverage on these vulnerabilities.
References & Sources:
- https://cacheoutattack.com/CacheOut.pdf
- https://software.intel.com/security-software-guidance/insights/processors-affected-l1d-eviction-sampling
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00329.html