Foreshadow: Speculative Execution Attack Targets Intel SGX

A flaw in Intel’s Software Guard Extensions implementation allows an attacker to access data stored in memory of other applications running on the same host, without the need for privilege escalation.

Background

Researchers discovered a flaw in Intel’s Software Guard Extensions (SGX) implementation that opens up a new speculative execution attack called Foreshadow (CVE-2018-3615). In addition, Intel has discovered variants allowing for Foreshadow attacks against microprocessors, system management mode (SMM) code, operating systems and Hypervisor software. These variants have been dubbed Foreshadow-NG (CVE-2018-3620 and CVE-2018-3646).

Collectively, Intel has labeled all of the speculative execution side channel vulnerabilities as L1 Terminal Faults (L1TF). Red Hat Enterprise Linux, Microsoft and other vendors have adopted this name for Foreshadow and Foreshadow-NG.

Vulnerability details

Foreshadow allows an attacker to access the data stored in memory of other applications running on the same host without needing any privilege escalation. This enables the attacker to gain access to sensitive files, data, passwords, keys, etc. The proof-of-concept code for Foreshadow has not been released and researchers suspect there wouldn’t be a way to detect exploitation, should it happen.

Foreshadow-NG allows an attacker to access memory on any Virtual Machine hosted on the same cloud, making it a high-severity issue. According to the Foreshadow researcher’s abstract: “Foreshadow-NG is the first transient execution attack that fully escapes the virtual memory sandbox.” This also includes cloud environments, which could potentially mean asset owners are at risk from their digital neighbors. To make matters worse, the way SGX has been implemented, a single SGX-compromised machine can result in the entire ecosystem becoming tainted.

Based on the information currently available, AMD/ARM-based processors are believed to be unaffected by this flaw, as they don’t implement SGX.

Urgently required actions

We highly recommend reviewing and installing security updates from your operating system and virtualization vendors. Microsoft and Red Hat have released updates to mitigate the flaws in multiple ways and to different extents. These approaches include flushing of sensitive data, rendering sensitive data inaccessible, enhancing isolation between virtual processors and other strategies.

Identifying affected systems

A live list of plugins can be found here. As new plugins are developed for respective systems, that list will update.

Learn more:

• Foreshadow Publication
• Red Hat Advisory
• Microsoft Advisory
• Intel Advisory
• Cisco Advisory

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.