Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Researchers Revive ‘Foreshadow’ Attack by Extending It Beyond L1 Cache

Researchers revealed late on Thursday that the mitigations and patches rolled out in 2018 for the Foreshadow vulnerabilities affecting Intel processors can fail to prevent attacks.

Researchers revealed late on Thursday that the mitigations and patches rolled out in 2018 for the Foreshadow vulnerabilities affecting Intel processors can fail to prevent attacks.

Foreshadow, also known as L1 Terminal Fault (L1TF), is the name assigned to three speculative execution flaws reported to Intel shortly after the disclosure in January 2018 of the notorious Meltdown and Spectre vulnerabilities.

Foreshadow is related to the exposure of the L1 data cache of an Intel processor to malicious processes. A malicious application installed on a system can exploit the vulnerabilities to obtain potentially sensitive data from the L1 data cache.

Intel and other companies whose products and infrastructure were affected by Foreshadow prepared patches and mitigations before disclosure. Foreshadow revived

However, a team of researchers from the Graz University of Technology in Austria and the CISPA Helmholtz Center for Information Security have revived the Foreshadow attack and made some other interesting discoveries.

The researchers told SecurityWeek that they have been working on this project since 2018 and impacted vendors were notified more than a year ago. They published a research paper describing their findings on Thursday.

Specifically, they discovered that the Foreshadow attack can be extended beyond the L1 cache, which previously was believed to be impossible, and attacks can still work despite the existing mitigations. They showed that Foreshadow attacks can also target data in the L3 cache.

The researchers found that the assumptions made regarding countermeasures described in several academic papers over the past four years were incorrect. This has allowed them to revive Foreshadow and demonstrate that attacks can still be launched on older kernels patched against Foreshadow and with all mitigations enabled. On more recent kernels, the attack still works if the mitigations for the apparently unrelated Spectre Variant 2 vulnerability are disabled (i.e. nospectre_v2 passed as a boot flag).

“[The attack] works on older kernels regardless of the nospectre_v2 flag — that is until recently (I think kernel 5.4 is the first where we’ve seen Foreshadow-L3 stopping to work) it did not matter whether or not Spectre mitigations were enabled and/or Foreshadow mitigations were enabled, Foreshadow-L3 still works on these kernel versions,” Daniel Gruss, one of the researchers involved in this project, told SecurityWeek.

Advertisement. Scroll to continue reading.

Intel does not plan on releasing additional mitigations for the Foreshadow attack. The company advises customers to ensure that the Spectre Variant 2 mitigations are enabled to prevent attacks.

The research paper also describes a browser-based attack that can be used to break the address space location randomization (ASLR) and kernel ASLR (KASLR) protections, which can be useful in an attack that requires exact address knowledge.

The researchers also identified a new way to exploit speculative dereferences, which enable direct data leakage via a Spectre attack. This attack also works against devices with AMD, ARM and IBM processors, and all of the impacted vendors have been notified.

Related: Many Siemens Products Affected by Foreshadow Vulnerabilities

Related: Microsoft Releases Intel Microcode Patches for Foreshadow Flaws

Related: Foreshadow/L1TF: What You Need to Know

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.