• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
  • The forums have been upgraded with support for dark mode. By default it will follow the setting on your system/browser. You may override it by scrolling to the end of the page and clicking the gears icon.

CacheOut is the Latest Speculative Execution Attack for Intel Processors

AleksandarK

AleksandarK

News Editor
Staff member
Joined
Aug 19, 2017
Messages
3,146 (1.10/day)
Another day, another speculative execution vulnerability found inside Intel processors. This time we are getting a new vulnerability called "CacheOut", named after the exploitation's ability to leak data stored inside CPU's cache memory. Dubbed CVE-2020-0549: "L1D Eviction Sampling (L1Des) Leakage" in the CVE identifier system, it is rated with a CVSS score of 6.5. Despite Intel patching a lot of similar exploits present on their CPUs, the CacheOut attack still managed to happen.

The CacheOut steals the data from the CPU's L1 cache, and it is doing it selectively. Instead of waiting for the data to become available, the exploit can choose which data it wants to leak. The "benefit" of this exploit is that it can violate almost every hardware-based security domain meaning that the kernel, co-resident VMs, and SGX (Software Guard Extensions) enclaves are in trouble. To mitigate this issue, Intel provided a microcode update to address the shortcomings of the architecture and they recommended possible mitigations to all OS providers, so you will be protected once your OS maker releases a new update. For a full list of processors affected, you can see this list. Additionally, it is worth pointing out that AMD CPUs are not affected by this exploit.


View at TechPowerUp Main Site
 
So the short summery;
This will effect any Intel CPU Skylake/Cascade Lake onward. Broadwell and earlier are safe.

Additionally, the following specifically states that physical admin access(authenticated local access) is required;

IPAS: INTEL-SA-00329

Update (2/19/2020): Microcode updates that address this issue have been provided to Original Equipment Manufacturers (OEMs). Please check with your system provider on the availability of these updates for your system. Click HERE for a list of OEM support sites. Hello, Today we released...
blogs.intel.com
An attack to exploit this vulnerability can not be rendered remotely, IE through a network share or web browser.
 
lexluthermiester said:
So the short summery;
This will effect any Intel CPU Skylake/Cascade Lake onward. Broadwell and earlier are safe.

Additionally, the following specifically states that physical admin access(authenticated local access) is required;

IPAS: INTEL-SA-00329

Update (2/19/2020): Microcode updates that address this issue have been provided to Original Equipment Manufacturers (OEMs). Please check with your system provider on the availability of these updates for your system. Click HERE for a list of OEM support sites. Hello, Today we released...
blogs.intel.com
An attack to exploit this vulnerability can not be rendered remotely, IE through a network share or web browser.
Click to expand...

Yep. You'll need to execute local priviledged code for this one. It is possible it could be used in a priveledge escalation attack but I have yet to see an example of that.

Do we have any idea what microcode addresses this on say, 9900k? Looking into this now, I guess.

EDIT: blog says it all. The microcode isn't done yet. The article is misleading.
 
Ryzen 4800x is still my upgrade path regardless. /shrug
 
lynx29 said:
Ryzen 4800x is still my upgrade path regardless. /shrug
Click to expand...

AMD is my next upgrade too. I would've went Ryzen on this build but the 9900k is doing well enough for my needs and was quite the steal...
 
These vulnerabilitys keep on coming is there no end.
 
Last edited:
tenor.gif
 
Something interesting to note from the disclosure paper. Intel and AMD have literally paid them to find this:
We would like to thank Intel for working with us during the responsible disclosure.
This research was supported by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory (AFRL) under contract FA8750-19-C0531, by an Australian Research Council Discovery Early Career Researcher Award (project number DE200101577), and by generous gifts from Intel and AMD.

The way this is worded doesn't seem like it is a paid bug bounty (because then why does it say Intel and AMD, if AMD CPUs are not affected?), but rather some sort of a research grant to push the boundaries of security.

This shows AMD and Intel are taking this research seriously to improve security.
 
No amount of patchwork will completely fix these leaks. They exist on such a basic level there will probably always be some way to get past any sort of bandaid fix. Intel said as much when the first leaks came out, too. Let's be realistic about it :)

The more interesting part of it is that Intel actually still keeps selling leaky architecture to us, I mean Cascade Lake isn't exactly ancient. Gotta keep that money rollin' ey

But... they're taking it seriously :roll::roll::roll: Business as usual and made a record year... guess what. The memo we gave them since those leaks is that we also really don't give a shit and buy Intel regardless. We're helpless really.
 
This is kinda getting ridiculous at this point. It's like the 20th vulnerability they've had in 2 years or so...

Which I wouldn't care about at all, but every one of them brings a microcode and/or windows patch which more often than not decreases performance. Half percent here, half percent there, add everything up and suddenly my CPU is no longer performing at 100%. And I paid good money for a 100% performing CPU.
 
lexluthermiester said:
So the short summery;
This will effect any Intel CPU Skylake/Cascade Lake onward. Broadwell and earlier are safe.

Additionally, the following specifically states that physical admin access(authenticated local access) is required;

IPAS: INTEL-SA-00329

Update (2/19/2020): Microcode updates that address this issue have been provided to Original Equipment Manufacturers (OEMs). Please check with your system provider on the availability of these updates for your system. Click HERE for a list of OEM support sites. Hello, Today we released...
blogs.intel.com
An attack to exploit this vulnerability can not be rendered remotely, IE through a network share or web browser.
Click to expand...
Still reading the paper but:
- They do seem to mount an attack from unprivileged users.
- HT helps the attack but it works without HT as well.
- They recommend turning off TSX as that is effective against CacheOut.

Edit:
OK, it seems that TAA is an integral step in CacheOut, so they are attacking a different target but still using TAA to get the data out. Makes sense that disabling TSX would work against this.
 
Last edited:
Yukikaze said:
Something interesting to note from the disclosure paper. Intel and AMD have literally paid them to find this:
We would like to thank Intel for working with us during the responsible disclosure.
This research was supported by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory (AFRL) under contract FA8750-19-C0531, by an Australian Research Council Discovery Early Career Researcher Award (project number DE200101577), and by generous gifts from Intel and AMD.

The way this is worded doesn't seem like it is a paid bug bounty (because then why does it say Intel and AMD, if AMD CPUs are not affected?), but rather some sort of a research grant to push the boundaries of security.

This shows AMD and Intel are taking this research seriously to improve security.
Click to expand...
Darpa and air force funding also might indicate potential use for intelligence application.
 
Another month , another Intel CPU hardware vulnerability.:nutkick:
 
Man, I wonder how Intel fanbois are holding up being unable to remark about bug ridden AMD CPUs are .
 
Totally said:
Man, I wonder how Intel fanbois are holding up being unable to remark about bug ridden AMD CPUs are .
Click to expand...

Denial and "We have better FPS and higher clocks"
 
Totally said:
Man, I wonder how Intel fanbois are holding up being unable to remark about bug ridden AMD CPUs are .
Click to expand...

Do those even exist in 2020?
 
Totally said:
Man, I wonder how Intel fanbois are holding up being unable to remark about bug ridden AMD CPUs are .
Click to expand...
Cant say I'm a fanboy but owning an Intel ID(ont)GAF.

The overwhelming majority of these dont really affect most home users in the first place (and then most are elevated access, no?). I guess some would call it perspective...

Nice crack at flamebait, though...
 
Last edited:
EarthDog said:
Cant say I'm a fanboy but owning an Intel ID(ont)GAF.

The overwhelming majority of these dont really affect most home users in the first place (and then most are elevated access, no?). I guess some would call it perspective...

Nice crack at flamebait, though...
Click to expand...

I guess the problem people have with new CVE discoveries is not that their Intel-powered PC is less safe. It's that the subsequent mitigation shoved down their throats by MS or Intel will inevitably chip away at performance.
 
btarunr said:
I guess the problem people have is not that their Intel-powered PC is less safe. It's that the mitigation shoved down their throats by MS or Intel will inevitably chip away at performance.
Click to expand...
Indeed and agreed...my issue is more at the flamebait than anything (but is seems that is OK?). ;)

EDIT: Meanwhile, I will continue to patch and be 'safer' all the while not noticing (outside of benchmarks) the few % this is slower in some tasks.
 
Last edited:
Chomiq said:
Come on Intel, you can do better.
Click to expand...
There is no one to blame. Like all of the vulnerabilities found in CPU's in the past few years, Intel created a CPU function that was intended to be of benefit. They had no expectation or foresight that it would be used in such a way.

londiste said:
- They do seem to mount an attack from unprivileged users.
Click to expand...
That is incorrect.
 
Seems like this issue should be negated by turning off TSX, which is barely used even in servers much less on desktop. The problem is that for turning that off, the option to do that needs to be exposed and it isn't. Firmware fixes for TAA should include a way to turn that off and be done with.

lexluthermiester said:
That is incorrect.
Click to expand...
From introductory parts:
https://cacheoutattack.com/CacheOut.pdf said:
Beyond proof-of-concept ex-ploits, we also demonstrate highly practical attacks against theLinux kernel, all mounted from unprivileged user processes
Click to expand...
Description of what they refer to seems to be 5. Cross Process Attacks (on page 9).
 
Last edited:
They are really getting creative with these exploit names, “CacheOut”.

I own both Intel and AMD platforms. I take no solace in the notion that AMD is somehow inherently more secure. The Intel architecture has been around longer and has been prevalent. So the cracks are showing. In due time we may start to see more of the same with AMD.

I mean I hope not but you never know,....
 
You must log in or register to reply here.
Back
Top