Three newly discovered speculative execution vulnerabilities found in Intel CPUs may turn out to be more serious than their Spectre and Meltdown cousins, because this time the side-channel attack bugs affect microprocessors that support Intel Software Guard Extensions, as well as virtual machines running on the same third-party cloud as the susceptible device.

The new family of Spectre-like flaws, dubbed Foreshadow (CVE-2018-3615) and Foreshadow-NG (CVE-2018-3620 and CVE-2018-3646), were independently uncovered by two separate research teams — one from imec-DistriNet-KU Leuven in Belgium, and the other from Technion – Israel Institute of Technology, the University of Michigan, and University of Adelaide and CSIRO’s Data61 in Australia.

In its own security update, Intel more plainly refers to the trio of bugs as L1 Terminal Fault (L1TF) vulnerabilities, because they can result in unauthorized disclosure of information residing in the L1 data cache

The original Foreshadow, considered a high-severity vulnerability with a CVSS score of 7.9, is significant because attackers using this method can actually penetrate SGX, a feature in modern Intel CPUs that protects user data, even if the entire system around is hijacked, by allocating it to a protected private area called an enclave.

“Foreshadow demonstrates how speculative execution can be exploited for reading the contents of SGX-protected memory as well as extracting the machine’s private attestation key,” states the researchers on a webpage containing two separate reports [1, 2] on the vulnerabilities. “Making things worse, due to SGX’s privacy features, an attestation report cannot be linked to the identity of its signer. Thus, it only takes a single compromised SGX machine to erode trust in the entire SGX ecosystem.”

The two Foreshadow-NG (Next Generation) flaws (both high-severity with a CVSS score of 7.1) are described by the researchers as two related applications of L1TF that can threaten information belonging to the System Management Mode (SMM), the OS’s kernel, or the hypervisor. “Perhaps most devastating, Foreshadow-NG might also be used to read information stored in other virtual machines running on the same third-party cloud, presenting a risk to cloud infrastructure,” the researchers warn. Moreover, a Foreshadow-NG attack could in certain cases allow malicious actors to bypass already established mitigations used against Meltdown and Spectre.

According to an advisory from the CERT/CC at Carnegie Mellon’s Software Engineering Institute, Foreshadow can be mitigated “by using the latest microcode update provided by Intel to platform manufacturers and given to users through BIOS updates,” while the Foreshadow-NG bugs can be fixed “with a microcode and BIOS update in conjunction with operating and virtualization system updates.” 

“What’s interesting about the Intel disclosure is that researchers simply followed the thread left by Spectre and Meltdown. This isn’t a completely new class of vulnerabilities,” said Matthew Chiodi, VP of cloud security at RedLock, in emailed comments. “This means that while Intel is not officially aware of any exploits that take advantage of this today, certainly advanced nation states have been working on them. Interestingly enough, back in June the OpenBSD project announced plans to disable support for Intel CPU hyper-threading due to security concerns around more Spectre-class bugs. Their announcement has proved prescient.”