CacheOut/L1DES – New Speculative Execution Attack Affecting Intel CPUs (CVE-2020-0549)
CVE Number – CVE-2020-0549
Intel has advised customers that researchers have identified another speculative execution attack method that can be launched against systems that use Intel processors.
CacheOut is a new speculative execution attack that is capable of leaking data from Intel CPUs across many security boundaries. Despite Intel’s attempts to address previous generations of speculative execution attacks, CPUs are still vulnerable, allowing attackers to exploit these vulnerabilities to leak sensitive data.
Moreover, unlike previous MDS issues, an attacker can exploit the CPU’s caching mechanisms to select what data to leak, as opposed to waiting for the data to be available. CacheOut can violate nearly every hardware-based security domain, leaking data from the OS kernel, co-resident virtual machines, and even SGX enclaves.
CacheOut violates the operating system’s privacy by extracting information from it that facilitates other attacks, such as buffer overflow attacks.
More specifically, modern operating systems employ Kernel Address Space Layout Randomization (KASLR) and stack canaries. KASLR randomizes the location of the data structures and code used by the operating system, such that the location is unknown to an attacker. Stack canaries put secret values on the stack to detect whether an attacker has tampered with the stack. CacheOut extracts this information from the operating system, essentially enabling full exploitation via other software attacks, such such as buffer overflow attacks.
CacheOut is related to, and inspired by, previous work in speculative execution, including Spectre and Meltdown. Moreover, CacheOut bypasses the hardware mitigations released by Intel in response to Meltdown, thereby necessitating additional software fixes.
Intel assigned CVE-2020-0549: “L1D Eviction Sampling (L1Des) Leakage” with a CVSS score 6.5 Medium to this vulnerability.
Intel has provided CPU microcode updates, along with recommendations for mitigation strategies for operating system (and hypervisor) software.
More information can be found at Intel’s Software Guidance on L1D Eviction Sampling and Intel’s Security Advisory (SA-00329). We recommend that you install the software updates provided by your operating system and/or hypervisor vendor.
A list of affected products can be found here.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.