Intel SGX at Risk From Foreshadow Speculative Execution Attack

Another set of side-channel, speculative execution vulnerabilities have been publicly reported by security researchers; this time the vulnerabilities take specific aim at SGX secure enclave and hypervisor isolation boundaries.


Security researchers have revealed yet another side-channel vulnerability that impacts Intel CPUs.

The L1 Terminal Fault (L1TF) vulnerability has been dubbed "Foreshadow" by researchers who publicly disclosed the issue on Aug. 14. The Foreshadow vulnerability could have potentially enabled an attacker to extract privileged information from both vulnerable CPUs as well as hypervisors and even Intel Software Guard Extensions (SGX) secure enclave technologies. Intel has stated that while the vulnerability disclosure is new, it has already taken steps to protect its customers.

"L1 Terminal Fault is addressed by microcode updates released earlier this year, coupled with corresponding updates to operating system and hypervisor software that are available starting today," Intel wrote in a statement sent to eWEEK

Foreshadow is the latest in a series of side-channel vulnerabilities that have been reported in 2018, the first being Meltdown and Spectre, which were disclosed on Jan. 3. Additional variants were disclosed on May 22 and on July 26 with the NetSpectre attack. The Foreshadow issues were independently discovered by multiple groups of researchers, including ones from imec-DistriNet, KU Leuven, Technion- Israel Institute of Technology, University of Michigan, University of Adelaide and Data61.

There are two key variants of Foreshadow, with one attack focused on SGX (CVE-2018-3615) and the other that the researchers have dubbed as Foreshadow NG (next generation) which enables the exploitation of information that is in a CPU's Level 1 (L1) cache that can enable exploitation of Intel's system management mode SMM (CVE-2018-3620) and hypervisors (CVE-2018-364).

"While it was previously believed that SGX is resilient to speculative execution attacks (such as Meltdown and Spectre), Foreshadow demonstrates how speculative execution can be exploited for reading the contents of SGX-protected memory as well as extracting the machine’s private attestation key," the researchers wrote.

With Foreshadow NG, hypervisors are at risk, which could put cloud users at risk, according the researchers. The researchers claim that Foreshadow NG could also be used to read information stored in other virtual machines running on the same third-party cloud. The world's largest public cloud providers, including Amazon Web Services (AWS), are already protecting users against Foreshadow.

"AWS has designed and implemented its infrastructure with protections against these types of attacks, and has also deployed additional protections for L1TF," Amazon stated in an advisory. "All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level."

Microsoft stated in an advisory that it too has also already deployed Foreshadow mitigation for its cloud services.

"The infrastructure that runs Azure and isolates customer workloads from each other is protected," Microsoft stated. "This means that a potential attacker using the same infrastructure can’t attack your application using these vulnerabilities."

Mitigations for Foreshadow are also being deployed by Linux vendors including Red Hat. Chris Robinson, manager of Product Security Assurance at Red Hat, said the new L1 Terminal Fault side-channel vulnerability is the latest in a long stream of microprocessor-related flaws that the industry has had to react to this year. 

"While the attack is very difficult to execute, customers are advised to apply patches as soon as they are available, review their corporate risk, and react accordingly in enabling the mitigations," Robinson stated.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.