Foreshadow/L1TF Intel Processor Vulnerabilities: What You Need to Know

Microsoft’s Patch Tuesday for August includes an update that fixes Foreshadow and Foreshadow-NG (aka L1 Terminal Fault or L1TF), security flaws affecting the speculative execution feature of Intel CPUs, similar to the Spectre and Meltdown vulnerabilities. Microsoft and Intel have also released security advisories detailing mitigations against Foreshadow.

Here’s what you need to know:

What is Foreshadow?

Foreshadow and Foreshadow-NG are speculative execution side-channel vulnerabilities. Intel CPUs have the Security Guard Extensions (SGX) feature that’s designed to protect the privacy and integrity of data and application code from attacks or processes running with high privileges. SGX is also supported in cloud infrastructures.

According to its researchers, Foreshadow entails a flaw in SGX’s implementation. Successfully exploiting this vulnerability can let attackers access, read, and extract SGX-protected data residing in the CPU’s enclaves (that is, SGX-protected memory).

[RELATED: What you need to know about the Meltdown and Spectre vulnerabilities]

Security researchers and Intel also identified two variations of Foreshadow, collectively named Foreshadow-NG by the researchers and L1 Terminal Fault or L1TF (alongside Foreshadow itself) by the company. Successfully exploiting these flaws can let attackers read, access, and extract data residing in the operating system (OS) kernel and system management mode (SMM) memory running on Intel processors. Foreshadow-NG/L1TF can also let hackers access data stored on virtual machines (VMs) and hypervisors running on cloud services.

These critical vulnerabilities are assigned the following CVE identifiers:

  • CVE-2018-3615 (Foreshadow): affects the SGX
  • CVE-2018-3620 (Foreshadow-NG/L1TF): affects the OS and the SMM
  • CVE-2018-3646 (Foreshadow-NG/L1TF): affects VMs and hypervisors

[READ: A technical analysis of Meltdown and Spectre vulnerabilities]

What’s the impact of Foreshadow and Foreshadow-NG/L1TF?

The vulnerabilities affect systems and cloud workloads whose infrastructures run on Intel’s Core and Xeon CPUs (a list of which is provided by Intel). Processors from Advanced Micro Devices     (AMD) and those based on the Advanced RISC Machine (ARM) architecture are not affected. Intel said that its upcoming next-generation enterprise (Xeon Scalable) and client processors, which will be launched within the year, will not be affected.

Given how the vulnerabilities can also affect virtualization environments and cloud infrastructures, the adverse impact can leave millions affected. For one thing, the researchers cited how SGX is used by Netflix (for its video streaming services), cryptocurrencies, and blockchain technologies. The vulnerabilities can let attackers, for instance, access passwords and encryption keys stored in the CPU’s enclaves.

[From TrendLabs Security Intelligence: Detecting attacks that exploit Meltdown and Spectre with Performance Counters]

How does Foreshadow work?

Foreshadow and Foreshadow-NG/L1TF involve the Intel CPU’s raising a terminal fault in cases such as when a virtual address is translated into a physical one (e.g., when a page not present in memory is accessed). An exception is raised, but if the L1 cache still contains data from a referenced address, the data can still be read out as part of the speculation code window. 

According to Intel’s specification, when any code outside of an enclave tries to read the enclave memory, it gets the value -1. Additionally, the content of the enclave memory is encrypted and decrypted during transfer between CPU and memory. Unfortunately, when Terminal Exception is raised during virtual memory address translation, and data from previous code execution remains in L1 cache, the result of the reading will not be -1, but the content of the cache. A more tangible example of this is Foreshadow, which, via speculatively executed code, can let an attacker, say, read the private key of a user’s cryptocurrency wallet from the CPU cache. 

The security researchers who discovered the vulnerabilities also demonstrated ways to increase the speed and reliability of extracted data by exploiting another weakness in CPU architecture. This can lead to a 98.61-percent probability of extracting SGX-protected data for root user using Transactional Synchronization Extensions (TSX) instructions.

[Best Practices: A checklist for securing virtual machines and containers]

Are the vulnerabilities fixed?

Yes. Apart from the fixes released by Intel and Microsoft, cloud service providers also released their own mitigations and patches. Amazon Web Services (AWS) announced that it has updated its relevant kernel (ALAS-2018-1058) while Google Cloud and Oracle also put out their own advisories. Microsoft Azure also issued mitigation guidance for Azure cloud services and Linux and Windows VMs. Patches are also available for the Linux kernel.

The security researchers who uncovered the vulnerabilities also set up a website containing full technical details, documentation, and FAQs on Foreshadow and Foreshadow-NG.

Updated Aug. 15, 2018, 10:22 p.m., to include further information on Foreshadow (with additional insights by Vit Sembera, Trend Micro Cyber Safety Solutions Team).


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.