CacheOut – Another day, another CPU attack!

A team of researchers from University of Michigan (Stephan van Schaik, Marina Minkin, Andrew Kwong and Daniel Genkin) and University of Adelaide (Yuval Yarom) recently presented a new attack technique that targets Intel CPUs.

The attack, dubbed CacheOut (CVE-2020-0549), is a “speculative execution attack that is capable of leaking data from Intel CPUs across many security boundaries“.

According to official website [1]:

We show that despite Intel’s attempts to address previous generations of speculative execution attacks, CPUs are still vulnerable, allowing attackers to exploit these vulnerabilities to leak sensitive data.

and also:

CacheOut is related to, and inspired by, previous work in speculative execution, including Spectre and Meltdown. Moreover, CacheOut bypasses the hardware mitigations released by Intel in response to Meltdown, thereby necessitating additional software fixes.

For more technical info, please read the researchers’ paper [5].


Which CPU models are vulnerable?

Currently, all Intel’s CPU released before Q4 2018.

For a select number of processors released after Q4 2018, Intel inadvertently managed to partially mitigate this issue while addressing a previous issue called TSX Asynchronous Abort (TAA) [2].

A list of affected products can be found on Intel Developer Zone [3]:

Family_ModelSteppingProcessor family/Processor number seriesAffected
06_55H<=7First/Second generation Intel® Xeon® Processor Scalable Family based on Skylake/Cascade Lake microarchitecture Yes
06_4EH, 06_5EHAll6th generation Intel® Core™ processors and Intel® Xeon® processor E3-1500m v5 product family and E3- 1200 v5 product family based on Skylake microarchitectureYes
06_8EH<=A7th/8th generation Intel® Core™ processors based on Kaby/Coffee Lake microarchitectureYes
06_9EH<=B7th/8th generation Intel® Core™ processors based on Kaby/Coffee Lake microarchitectureYes
06_9EH0xCCoffee LakeYes
06_8EH0xB8th generation Intel® Core™ processors based on Whiskey Lake(ULT)Yes
06_8EH0xCWhiskey Lake (ULT refresh)Yes
06_9EH0xDWhiskey Lake (Desktop)Yes
06_8EHC10th Generation Intel® Core™ processors based on Amber Lake YYes

Is there a fix?

Intel has already provided CPU microcode updates [4]: more information can be found at Intel’s Software Guidance on L1D Eviction Sampling [3].
As usual, i suggest to install asap all software updates provided by operating system and/or hypervisor vendor.


References

  1. CacheOut
  2. Deep Dive: Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort
  3. Processors Affected: L1D Eviction Sampling
  4. INTEL-SA-00329
  5. CacheOut: Leaking Data on Intel CPUs via Cache Evictions

Related posts

  1. Thunderspy: a Thunderbolt security flaw that affects all systems released before 2019
  2. Weekly Tech Roundup #5
  3. Load Value Injection (CVE-2020-0551): a new Side-Channel attack affects Intel’s CPUs
  4. NetCat attack (CVE-2019-11184): steal encrypted SSH keystrokes exploiting DDIO
  5. CVE-2019-1125, “SWAPGS Attack”: a new speculative execution side-channel attack