The newly revealed Intel L1 Terminal Fault vulnerability, also known as Foreshadow, provides a new round of challenges for system administrators who must now find ways to protect their organization’s computers against what could be serious attacks.
Intel has released a blog post describing the flaws and explaining how they can affect systems through leakage of data through a processor’s level 1 cache or through Intel’s security enclaves in protected memory that depend on Software Guard Extensions (SGX) and Intel’s System Management Mode.
There are three versions of the L1TF that are closely related, and all arise through misuse of a processor’s speculative execution functions. Most modern processors use speculative execution, which means executing a command that’s most likely to come next in a series of instructions as a way to speed up operations. Speculative execution leaves traces to the contents of protected memory that can be exploited using sophisticated malware.
The process is complex, so Intel has released a video that explains how this works. Protecting your data center against this flaw isn’t complex, but there are several aspects of the process that you need to know about. The most important is that a successful attack using the Foreshadow vulnerabilities can take place through hypervisors supporting virtualized systems, such as VMware and Microsoft Hyper-V.
Most modern Intel processors, up to and including current 8th generation Core and Xeon CPUs, exhibit this flaw. Fixing the problem requires microcode and operating system updates to the affected machines.
System manufacturers have been releasing microcode updates since March, following Intel’s notification of the vulnerabilities in January, 2018. Microsoft has been including fixes for the problem in Windows Update. Several Linux distributions have also been updated.
But just because the updates are available doesn’t mean you’re protected. Each of the microcode updates required that a patch be applied to the computer in question. Usually this is done through the BIOS flashing process, and while updating each computer only requires a few minutes, patching every computer in a data center can be a daunting task.
Your organization probably already has a procedure for operating system updates. But this is one series of updates that needs to be tested and applied with some degree of urgency. While the vulnerability may be difficult to exploit, that’s not the same thing as being impossible.
There’s also an extra step that should be performed on systems running Hyper-V, which is to turn off Hyperthreading in the system BIOS. Hyperthreading is a technology that allows each processor core to execute two separate sets of instructions simultaneously, and in the process allows them operate as if each core was two cores. However, because they’re still one physical core, the Hyper-threading streams also share a single chunk of memory in the Level 1 cache.
VMware has been updated to protect against corruption of the Level 1 cache, but according to guidance from Intel, in Hyper-V systems where you can’t be certain that fixes have been applied to operating systems that are guest processes in a Hyper-V system, then Hyperthreading needs to be turned off.
Intel said in its security bulletin that the microcode fixes, which primarily ensure that the Level 1 cache is flushed quickly, won’t have any impact on performance. However, turning off Hyperthreading in systems where it’s used to support virtualized systems will indeed slow things down. Just how much depends on details on how your systems are using Hyperthreading, but it will happen.
If there is any good news in all of this, it’s that Intel is not aware of any exploits in the wild that use these vulnerabilities. But that’s not to say it can’t happen, because all that’s required is that a threat actor be able to execute code on an unpatched machine that’s able to read the contents of protected areas of memory.
Because such exploits are acting directly on the processor, there’s a high likelihood that you’d never know about an attack, even after the fact. It may not leave any traces at all. Worse, the code that exploits this vulnerability doesn’t appear to require any special access.
What this means is that it’s crucial that you patch your systems. The microcode update won’t have any adverse effect on your servers, the Windows or Linux updates should also leave you unaffected.
But if you’re running Hyper-V and you’re not certain that the guest operating systems have been patched, then you should turn off Hyperthreading, and this will bring a performance hit.
While it’s unlikely that the ransomware writers and the script kiddies will ever manage to create malware capable of exploiting Foreshadow, this is a vulnerability that’s well within the capabilities of nation-state threat actors.
You may not think that your organization is of interest to such actors, but as we’ve seen lately, you don’t need to be a government or a government contractor to be attacked. You only have to have the email address or phone number of someone who is.