Tuesday, January 28th 2020

CacheOut is the Latest Speculative Execution Attack for Intel Processors

Another day, another speculative execution vulnerability found inside Intel processors. This time we are getting a new vulnerability called "CacheOut", named after the exploitation's ability to leak data stored inside CPU's cache memory. Dubbed CVE-2020-0549: "L1D Eviction Sampling (L1Des) Leakage" in the CVE identifier system, it is rated with a CVSS score of 6.5. Despite Intel patching a lot of similar exploits present on their CPUs, the CacheOut attack still managed to happen.

The CacheOut steals the data from the CPU's L1 cache, and it is doing it selectively. Instead of waiting for the data to become available, the exploit can choose which data it wants to leak. The "benefit" of this exploit is that it can violate almost every hardware-based security domain meaning that the kernel, co-resident VMs, and SGX (Software Guard Extensions) enclaves are in trouble. To mitigate this issue, Intel provided a microcode update to address the shortcomings of the architecture and they recommended possible mitigations to all OS providers, so you will be protected once your OS maker releases a new update. For a full list of processors affected, you can see this list. Additionally, it is worth pointing out that AMD CPUs are not affected by this exploit.
Source: CacheOut
Add your own comment

77 Comments on CacheOut is the Latest Speculative Execution Attack for Intel Processors

#1
lexluthermiester
So the short summery;
This will effect any Intel CPU Skylake/Cascade Lake onward. Broadwell and earlier are safe.

Additionally, the following specifically states that physical admin access(authenticated local access) is required;
https://blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/
An attack to exploit this vulnerability can not be rendered remotely, IE through a network share or web browser.
Posted on Reply
#2
R-T-B
lexluthermiester
So the short summery;
This will effect any Intel CPU Skylake/Cascade Lake onward. Broadwell and earlier are safe.

Additionally, the following specifically states that physical admin access(authenticated local access) is required;
https://blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/
An attack to exploit this vulnerability can not be rendered remotely, IE through a network share or web browser.
Yep. You'll need to execute local priviledged code for this one. It is possible it could be used in a priveledge escalation attack but I have yet to see an example of that.

Do we have any idea what microcode addresses this on say, 9900k? Looking into this now, I guess.

EDIT: blog says it all. The microcode isn't done yet. The article is misleading.
Posted on Reply
#3
lynx29
Ryzen 4800x is still my upgrade path regardless. /shrug
Posted on Reply
#4
R-T-B
lynx29
Ryzen 4800x is still my upgrade path regardless. /shrug
AMD is my next upgrade too. I would've went Ryzen on this build but the 9900k is doing well enough for my needs and was quite the steal...
Posted on Reply
#5
lexluthermiester
lynx29
Ryzen 4800x is still my upgrade path regardless. /shrug
AMD is not affected by this one, AFAICD.
Posted on Reply
#6
Countryside
These vulnerabilitys keep on coming is there no end.
Posted on Reply
#8
Chomiq
Melvis

Beat me to it.

Come on Intel, you can do better.
Posted on Reply
#9
Yukikaze
Something interesting to note from the disclosure paper. Intel and AMD have literally paid them to find this:
We would like to thank Intel for working with us during the responsible disclosure.
This research was supported by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory (AFRL) under contract FA8750-19-C0531, by an Australian Research Council Discovery Early Career Researcher Award (project number DE200101577), and by generous gifts from Intel and AMD.


The way this is worded doesn't seem like it is a paid bug bounty (because then why does it say Intel and AMD, if AMD CPUs are not affected?), but rather some sort of a research grant to push the boundaries of security.

This shows AMD and Intel are taking this research seriously to improve security.
Posted on Reply
#10
Vayra86
No amount of patchwork will completely fix these leaks. They exist on such a basic level there will probably always be some way to get past any sort of bandaid fix. Intel said as much when the first leaks came out, too. Let's be realistic about it :)

The more interesting part of it is that Intel actually still keeps selling leaky architecture to us, I mean Cascade Lake isn't exactly ancient. Gotta keep that money rollin' ey

But... they're taking it seriously :roll::roll::roll: Business as usual and made a record year... guess what. The memo we gave them since those leaks is that we also really don't give a shit and buy Intel regardless. We're helpless really.
Posted on Reply
#11
ShurikN
This is kinda getting ridiculous at this point. It's like the 20th vulnerability they've had in 2 years or so...

Which I wouldn't care about at all, but every one of them brings a microcode and/or windows patch which more often than not decreases performance. Half percent here, half percent there, add everything up and suddenly my CPU is no longer performing at 100%. And I paid good money for a 100% performing CPU.
Posted on Reply
#12
londiste
lexluthermiester
So the short summery;
This will effect any Intel CPU Skylake/Cascade Lake onward. Broadwell and earlier are safe.

Additionally, the following specifically states that physical admin access(authenticated local access) is required;
https://blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/
An attack to exploit this vulnerability can not be rendered remotely, IE through a network share or web browser.
Still reading the paper but:
- They do seem to mount an attack from unprivileged users.
- HT helps the attack but it works without HT as well.
- They recommend turning off TSX as that is effective against CacheOut.

Edit:
OK, it seems that TAA is an integral step in CacheOut, so they are attacking a different target but still using TAA to get the data out. Makes sense that disabling TSX would work against this.
Posted on Reply
#13
Chomiq
Yukikaze
Something interesting to note from the disclosure paper. Intel and AMD have literally paid them to find this:
We would like to thank Intel for working with us during the responsible disclosure.
This research was supported by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory (AFRL) under contract FA8750-19-C0531, by an Australian Research Council Discovery Early Career Researcher Award (project number DE200101577), and by generous gifts from Intel and AMD.


The way this is worded doesn't seem like it is a paid bug bounty (because then why does it say Intel and AMD, if AMD CPUs are not affected?), but rather some sort of a research grant to push the boundaries of security.

This shows AMD and Intel are taking this research seriously to improve security.
Darpa and air force funding also might indicate potential use for intelligence application.
Posted on Reply
#14
MyTechAddiction
Another month , another Intel CPU hardware vulnerability.:nutkick:
Posted on Reply
#15
Totally
Man, I wonder how Intel fanbois are holding up being unable to remark about bug ridden AMD CPUs are .
Posted on Reply
#16
KarymidoN
Totally
Man, I wonder how Intel fanbois are holding up being unable to remark about bug ridden AMD CPUs are .
Denial and "We have better FPS and higher clocks"
Posted on Reply
#17
Vayra86
Totally
Man, I wonder how Intel fanbois are holding up being unable to remark about bug ridden AMD CPUs are .
Do those even exist in 2020?
Posted on Reply
#18
EarthDog
Totally
Man, I wonder how Intel fanbois are holding up being unable to remark about bug ridden AMD CPUs are .
Cant say I'm a fanboy but owning an Intel ID(ont)GAF.

The overwhelming majority of these dont really affect most home users in the first place (and then most are elevated access, no?). I guess some would call it perspective...

Nice crack at flamebait, though...
Posted on Reply
#19
btarunr
Editor & Senior Moderator
EarthDog
Cant say I'm a fanboy but owning an Intel ID(ont)GAF.

The overwhelming majority of these dont really affect most home users in the first place (and then most are elevated access, no?). I guess some would call it perspective...

Nice crack at flamebait, though...
I guess the problem people have with new CVE discoveries is not that their Intel-powered PC is less safe. It's that the subsequent mitigation shoved down their throats by MS or Intel will inevitably chip away at performance.
Posted on Reply
#20
EarthDog
btarunr
I guess the problem people have is not that their Intel-powered PC is less safe. It's that the mitigation shoved down their throats by MS or Intel will inevitably chip away at performance.
Indeed and agreed...my issue is more at the flamebait than anything (but is seems that is OK?). ;)

EDIT: Meanwhile, I will continue to patch and be 'safer' all the while not noticing (outside of benchmarks) the few % this is slower in some tasks.
Posted on Reply
#21
lexluthermiester
Chomiq
Come on Intel, you can do better.
There is no one to blame. Like all of the vulnerabilities found in CPU's in the past few years, Intel created a CPU function that was intended to be of benefit. They had no expectation or foresight that it would be used in such a way.

londiste
- They do seem to mount an attack from unprivileged users.
That is incorrect.
Posted on Reply
#22
londiste
Seems like this issue should be negated by turning off TSX, which is barely used even in servers much less on desktop. The problem is that for turning that off, the option to do that needs to be exposed and it isn't. Firmware fixes for TAA should include a way to turn that off and be done with.

lexluthermiester
That is incorrect.
From introductory parts:
[quote=https://cacheoutattack.com/CacheOut.pdf"]Beyond proof-of-concept ex-ploits]Description of what they refer to seems to be 5. Cross Process Attacks (on page 9).
Posted on Reply
#23
Octavean
They are really getting creative with these exploit names, “CacheOut”.

I own both Intel and AMD platforms. I take no solace in the notion that AMD is somehow inherently more secure. The Intel architecture has been around longer and has been prevalent. So the cracks are showing. In due time we may start to see more of the same with AMD.

I mean I hope not but you never know,....
Posted on Reply
#24
Object55
At this point AMD just poking body with a stick.
Posted on Reply
#25
Unregistered
The compromises Intel made in the past for speed is still catching up with them. Desktops may not matter much, but the amount of additional attack vectors on their servers this is creating will probably be never be fully known as many more will probably never be seen above closely guarded secrets.
Add your own comment