Defending Against 'Foreshadow' Intel CPU Attacks: What You Need to Do

Enterprise IT system administrators will soon have to implement fixes to the newly revealed Intel L1 Terminal Fault vulnerability, also known as Foreshadow, which can affect systems through leakage of data through a processor’s level 1 cache or Intel’s security enclaves in protected memory.

There are three closely related versions of the L1TF, all of which arise through misuse of a processor’s speculative execution functions. Most modern processors use speculative execution, which execute a command that’s most likely to come next in a series of instructions as a way to speed up operations. However, speculative execution leaves traces to the contents of protected memory that can be exploited using sophisticated malware.

When protecting your data center against this flaw, the most important takeaway is that these attacks can occur through hypervisors supporting virtualized systems, such as VMware and Microsoft Hyper-V. Most modern Intel processors, up to and including current 8th generation Core and Xeon CPUs, exhibit this flaw. Fixing it requires microcode and operating system updates to the affected machines.

System manufacturers have been releasing microcode updates since March. Microsoft has been including fixes in Windows Update, and several Linux distributions have also been updated.  But just because the updates are available doesn’t mean you’re protected, since each of the microcode updates require that a patch be urgently applied to the computer in question.

There’s also an extra step that should be performed on systems running Hyper-V, which is to turn off Hyperthreading in the system BIOS. Hyperthreading allows each processor core to execute two separate sets of instructions simultaneously, allowing them to operate as if each core was two cores. In Hyper-V systems where you can’t be certain that fixes have been applied to guest operating systems, Hyperthreading needs to be turned off. While this will bring a performance hit, avoiding an attack will be well worth it.

Because these exploits are acting directly on the processor, there’s a high likelihood that you’d never know about an attack, even after the fact. This means it is crucial to patch your systems urgently. The microcode update won’t have any adverse effect on your servers, and the Windows or Linux updates should also leave you unaffected.