New ‘CacheOut’ Attack Targets Intel CPUs

Researchers have identified a new speculative execution type attack, dubbed CacheOut, that could allow attackers to trigger data leaks from most Intel CPUs. The more serious of the two bugs, revealed Monday, is rated medium severity by Intel, who said fixes for both flaws are on the way.

The more serious of the two CacheOut bugs, tracked as CVE-2020-0549, is a CPU vulnerability that allows an attacker to target data stored within the OS kernel, co-resident virtual machines and even within Intel’s Software Guard Extensions (SGX) enclave, a trusted execution environment on Intel processors.

“In this work we present CacheOut, a new microarchitectural attack that is capable of bypassing Intel’s buffer overwrite countermeasures,” wrote researcher Stephan van Schaik of the University of Michigan and colleagues in a research report made public Monday.

Those “countermeasures” refer to Intel’s mitigation efforts for prior speculative execution attacks RIDL, Fallout, and ZombieLoad. CacheOut is similarly a Microarchitectural Data Sampling (MDS) or Zombieload flaw. It comes on the heels of two separate MDS patches released this past May and November.

The CacheOut vulnerabilities impact users running CPUs released before Q4 2019, according to researchers. Also impacted are cloud providers, hypervisors and associated virtual machines. Researchers said CPUs made by IBM and ARM may also be affected.

In a security bulletin issued Monday, Intel clarified that the medium-severity vulnerability (CVE-2020-0549) “has little to no impact in virtual environments that have applied L1 Terminal Fault mitigations.”

Intel said patches to mitigate against CacheOut are forthcoming and that it will address the issue in the near future.

“Intel recommends that users of affected Intel Processors check with their system manufacturers and system software vendors and update to the latest microcode update when available,” according to the company.

Researchers also said that the vulnerability can be used to exploit an unmodified Linux kernel. “More specifically, we demonstrate attacks for breaking kernel address space layout randomization (KASLR) and recovering secret kernel stack canaries,” researcher wrote.

Intel is calls the flaw a “L1D Eviction Sampling issue”. L1 refers to the cache and pools of memory that contain the leak-able data. Intel said it is not aware of any related attacks exploiting the flaws.

“CacheOut demonstrates that [previous] this mitigation [are] incomplete, as we can force the victim’s data out of the L1-D Cache into the microarchitectural buffers after the operating system clears them. We then subsequently leak the contents of the buffers and obtain the victim’s data,” researchers wrote.

The second less severe flaw is being tracked as CVE-2020-0548, which has a CVSS rating of 2.8 or low. Intel describes the flaw as a Vector Register Sampling bug. “Cleanup errors in some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access,” according to the Intel advisory.