Intel to patch CacheOut flaw

Another ZombieLoad-style flaw hits Intel's processors, but an update is on the way

Intel is to patch two flaws in its chips, both of which could leak data including passwords. 

The two flaws, CVE-2020-0548 and CVE-2020-0549, could allow information disclosure, Intel said in an advisory, saying it would release firmware updates. 

The former, rated as low risk by Intel, takes advantage of cleanup errors in Intel chips that could allow an already authenticated user to nab key data. The latter and more serious of the vulnerabilities was detailed by a team of researchers over the weekend, who dubbed it CacheOut. 

The attack is similar to previous major Intel flaws that also used microarchitectural data sampling (MDS), notably ZombieLoad, which the company has already tried to address with patches. "We show that despite Intel's attempts to address previous generations of speculative execution attacks, CPUs are still vulnerable, allowing attackers to exploit these vulnerabilities to leak sensitive data," the researchers say. 

"Moreover, unlike previous MDS issues, we show in our work how an attacker can exploit the CPU's caching mechanisms to select what data to leak, as opposed to waiting for the data to be available," they added. "Finally, we empirically demonstrate that CacheOut can violate nearly every hardware-based security domain, leaking data from the OS kernel, co-resident virtual machines, and even SGX enclaves."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The researchers said the flaw impacts chips released up until the end of 2018. "For a select number of processors released after Q4 2018, Intel inadvertently managed to partially mitigate this issue while addressing a previous issue called TSX Asynchronous Abort (TAA)," the researchers noted. Intel added that the vulnerability doesn't impact virtual environments that have applied L1 Terminal Fault mitigations. 

Intel is releasing microcode updates to users as part of its regular patching to address the flaw. "As part of our commitment to transparency, the advisory has been released before our planned mitigations can be made available and we expect to release mitigations through our normal Intel Platform Update (IPU) process in the near future," noted Jerry Bryant, director of communications for Intel product assurance and security, in a blog post

The researchers said they hoped the solution would extend to the chips themselves in the longer term. "Software can mitigate these issues at the cost of features and/or performance," the researchers added. "We hope that somewhere in the future Intel will release processors with in-silicon fixes against this issue."

Related Resource

How targeted simulations differ from penetration tests and vulnerability scanning

Stay one step ahead of cyber attackers

Download now

The researchers and Intel have both said they've yet to spot hackers using the flaw in the wild. 

The team of researchers was made up of academics from Vrije Universiteit Amsterdam, the University of Adelaide, and the University of Michigan. 

Featured Resources

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

6 ways your business could suffer if you don’t backup Office 365

Office 365 makes it easy to lose valuable data regularly, unpredictably, unintentionally, and for good

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now
Advertisement

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Visit/security/34616/the-top-ten-password-cracking-techniques-used-by-hackers
Security

The top ten password-cracking techniques used by hackers

10 Feb 2020
Visit/software/linux/354831/microsoft-to-add-defender-antivirus-software-to-linux-ios-and-android
Linux

Microsoft to add Defender antivirus software to Linux, iOS and Android

21 Feb 2020