‘Foreshadow’ flaw found in Intel CPUs – what to do

For Intel and more than a billion computers that depend on Intel CPUs, the microprocessor flaws just keep coming.

This time, the company was the bearer of its own bad news when it disclosed a weakness dubbed ‘Foreshadow/Foreshadow-NG’ in a security technology called Software Guard Extensions (SGX) that has been baked into new CPU chips since 2015.

Intel said that Foreshadow was first reported to it by two sets of researchers in January 2018. The vulnerability affects secure enclaves set up by SGX chip instructions, and has been dubbed CVE-2018-3615.

Looking into this, the company’s own researchers then discovered further variants that extended the weakness to new SGX-enabled chips running virtual machines or hypervisors.

These additional vulnerabilities have been dubbed CVE-2018-3620 and CVE-2018-3646 respectively.

Intel got wind of Foreshadow’s existence only days after the world was told about the Meltdown and Spectre mega-flaws.

Since then, there has been a slow drip of new CPU flaws, including reports of something called Spectre-NG in May, of which Foreshadow is the latest and perhaps most significant example.

What is Foreshadow?

Foreshadow – described in Intel-speak as a “side-channel method called L1 Terminal Fault (L1TF)” – is a weakness in a chip design feature called speculative execution that could allow a hypothetical attacker to access encrypted data being held in the chip’s special SGX enclave.

These enclaves are effectively isolated areas of chip memory that the processor can allocate to applications to keep sensitive data out of the reach of other software, including malware.

The gist of Foreshadow is that the data in a secure enclave could, in theory, be copied elsewhere and then accessed.

Foreshadow-NG goes one step further:

Foreshadow-NG might also be used to read information stored in other virtual machines running on the same third-party cloud, presenting a risk to cloud infrastructure.

Which CPUs are affected?

If you bought an Intel system after late-2015 (Skylake onwards) there’s a high chance it will contain an affected CPU (AMD and other vendors that don’t use SGX are not at risk):

  • Intel Core i3/i5/i7/M processor (45nm and 32nm)
  • 2nd/3rd/4th/5th/6th/7th/8th generation Intel Core processors
  • Intel Core X-series Processor Family for Intel X99 and X299 platforms
  • Intel Xeon processor 3400/3600/5500/5600/6500/7500 series
  • Intel Xeon Processor E3 v1/v2/v3/v4/v5/v6 Family
  • Intel Xeon Processor E5 v1/v2/v3/v4 Family
  • Intel Xeon Processor E7 v1/v2/v3/v4 Family
  • Intel Xeon Processor Scalable Family
  • Intel Xeon Processor D (1500, 2100)

Patching and mitigation

Systems that have already applied firmware updates made by available by Intel earlier this year, in addition to applicable OS updates (see Microsoft’s advice), should already be protected against Foreshadow, Intel said.

However, in datacentres running hypervisors that are vulnerable to Foreshadow-NG, things get a more complicated, for reasons Intel has explored in a video.

Said Intel of these mitigations:

These actions may include enabling specific hypervisor core scheduling features or choosing not to use hyper-threading in some specific scenarios.

Clearly, Intel’s long-term solution is to design these weaknesses out of future CPUs. Given how many are now piling up, this will take time.

As with Meltdown and Spectre, there is no evidence that anyone has exploited Foreshadow, nor would it be an obvious target for an attacker when there are so many easier software weaknesses to pick on.

Nevertheless, while these are all proof-of-concept flaws for now, it’s hard to escape the feeling that chip makers and their customers have a lot of work ahead of them.