[VU:982149] Intel processors are vulnerable to a speculative execution side-channel attack called L1 Terminal Fault (L1TF)

Severity Medium

CVEs 3

Overview

Intel processors are vulnerable to one or more L1 data cache information disclosure and terminal fault attacks via a speculative execution side channel. These attacks are known as L1 Terminal Fault: SGX, L1 Terminal Fault: OS/SMM, and L1 Terminal Fault: VMM.

Impact

An attacker with the ability to execute arbitrary code, with or without root privileges, can infer the contents of operating system, application, or SMM memory (CVE-2018-3620), secure SGX enclave memory (CVE-2018-3615), or memory used by virtual machines on the same host as the attacker (CVE-2018-3646). Only some Intel processors are affected by these vulnerabilities. Please see INTEL-SA-00161 for details.

Solution

Apply BIOS and OS updates Only some Intel processors are impacted by CVE-2018-3615, as older ones are not SGX capable. Please see the full list of affected products here. Mitigating all three vulnerabilities requires microcode updates provided by Intel and are typically delivered by OEM vendors through BIOS updates. The status of available microcode can be found here. Mitigating CVE-2018-3620 (OS/SMM) requires updates to operating system software. Mitigating CVE-2018-3646 (VMM) requires updates to operating system and virtualization software. Disable Hyper-threading CVE-2018-3646 (VMM) can also be mitigated by disabling hyper-threading. If microcode, BIOS, OS, and virtualization software has been updated on both hosts and guests, it is not necessary to disable hyper-threading. Perform TCB Recovery Out of concern that an attacker could have compromised secret SGX keys using CVE-2018-3615, consider re-keying trusted computing base and SGX applications. This can be achieved by updating the BIOS and receiving an update from the application’s support team.

Acknowledgements

Credit goes to the following researchers for L1TF SGX:Jo Van Bulck of imec-DistriNet,KU Leuven,Marina Minkin of Technion,Ofir Weisse,Daniel Genkin,and Baris Kasikci of the University of Michigan,Frank Piessens of imec-DistriNet,KU Leuven,Mark Silberstein of Technion,Thomas F. Wenisch of the University of Michigan,Yuval Yarom of University of Adelaide and Data61,and Raoul Strackx of imec-DistriNet,KU Leuven. L1TF OS/SMM and L1TF VMM were found internally by Intel researchers after expanding on the research of L1TF SGX.

ID

VU:982149

Severity

medium

Severity from

CVE-2018-3615

URL

https://kb.cert.org/vuls/id/982149

Published

2018-08-15T13:03:53
(6 years ago)

Modified

2018-09-10T19:07:37
(6 years ago)

Rights

Other Advisories

Source	# ID	Name	URL
			https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
			https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault
			https://foreshadowattack.eu/
			https://www.usenix.org/conference/usenixsecurity18/presentation/bulck
			https://www.intel.com/content/www/us/en/architecture-and-technology/l1tf.html
			https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date