Intel information about two new vulnerabilities in Intel CPUs caused by data leakage from the L1D cache (, L1DES - L1D Eviction Sampling) and vector registers (, VRS - Vector Register Sampling). Vulnerabilities belong to the class (Microarchitectural Data Sampling) and are based on the application of third-party analysis methods to data in microarchitectural structures. AMD, ARM and other processors are not affected.
The most dangerous is the L1DES vulnerability, which settling blocks of cached data (cache line), ousted from the cache of the first level (L1D), in the fill buffer (Fill Buffer), which at this stage should be empty. To determine the data settled in the padding buffer, the methods of analysis through third-party channels, previously proposed in attacks, are applicable. (Microarchitectural Data Sampling) and (Transactional Asynchronous Abort). The essence of the previously implemented protection against
MDS and TAA in flushing microarchitecture buffers before a context switch, but as it turns out, under some conditions, data is speculatively flushed into buffers after a flush operation, so the MDS and TAA methods remain applicable.
As a result, an attacker can achieve the determination of data evicted from the cache of the first level, which were changed during the execution of an application that previously occupied the current CPU core, or applications running in parallel in other logical threads (hyperthread) on the same CPU core (disabling HyperThreading reduces to no attack efficiency). Unlike an attack , L1DES does not allow you to select specific physical addresses to check, but it makes it possible to passively monitor activity in other logical threads related to loading or saving values ββto memory.
Based on L1DES, various research teams have developed several attack variants that potentially extract sensitive information from other processes, the operating system, virtual machines, and protected SGX enclaves.
- VUSec Team RIDL attack method for the L1DES vulnerability. Available , which, among other things, bypasses Intel's proposed method of protecting against MDS, based on the use of the VERW instruction to clear the contents of microarchitectural buffers at the time of returning from the kernel to user space or when control is transferred to the guest system (the researchers initially insisted that VERW (clearing microarchitectural buffers) for protection is not enough and a complete flush of the L1 cache is required on every context switch).
- Team updated its taking into account the L1DES vulnerability.
- Researchers at the University of Michigan have developed their own attack method () that allows you to extract confidential information from the operating system kernel, virtual machines and protected SGX enclaves. The method is based on with a mechanism for asynchronous interrupt operations (TAA, TSX Asynchronous Abort) to determine the contents of the fill buffer after leaking data from the L1D cache.
Second VRS Vulnerability (Vector Register Sampling) with a leak into the storage buffer (Store Buffer) of the results of read operations from vector registers modified during the execution of vector instructions (SSE, AVX, AVX-512) on the same CPU core. A leak occurs under a rather rare set of circumstances and is caused by the fact that a speculatively performed operation that leads to the reflection of the state of vector registers in the storage buffer is late and ends after the buffer is cleared, and not before it. Similar to the L1DES vulnerability, the contents of the storage buffer can then be determined using MDS and TAA attack methods.
Researchers from the VUSec group , which allows you to determine the values ββof vector registers obtained as a result of calculations in another logical thread of the same CPU core. Intel vulnerability VRS as too complex for real attacks and assigned a minimum severity level (2.8 CVSS).
The issues were reported to Intel in May 2019 by the Zombieload team at the Technical University of Graz (Austria) and the VUSec team at the Free University of Amsterdam, and later, after analyzing other MDS attack vectors, the vulnerabilities were confirmed by some other researchers. L1DES and VRS issues were not included in the first MDS report due to a missing fix. The fix is ββnot yet available, but the agreed non-disclosure period has expired.
As a workaround, it is recommended to disable HyperThreading. To block the vulnerability on the kernel side, it is proposed to flush the L1 cache on each context switch (MSR bit MSR_IA32_FLUSH_CMD) and disable the TSX extension (MSR bits MSR_IA32_TSX_CTRL and MSR_TSX_FORCE_ABORT).
Intel release a microcode update with the implementation of mechanisms to block problems in the near future. Intel also notes that the use of attack protection methods proposed in 2018 (L1 Terminal Fault) allows you to block the exploitation of the L1DES vulnerability from virtual environments. Attack Intel Core processors starting from the sixth generation (Sky, Kaby, Coffee, Whiskey, Amber Lake, etc.), as well as some Intel Xeon and Xeon Scalable models.
Additionally, it can be noted , which allows you to apply attack methods to determine the contents of the root password hash from /etc/shadow during periodic authentication attempts. If the originally proposed exploit determined the password hash for , and after applying the leak during the operation of the asynchronous abort operations mechanism (TAA, TSX Asynchronous Abort) performed a similar operation for , the new variant makes an attack in 4 seconds.
Source: opennet.ru