Microsoft, Intel Warn of 'Foreshadow' CPU Security Attacks -- Redmond Channel Partner

Microsoft, Intel Warn of 'Foreshadow' CPU Security Attacks

By Kurt Mackie
August 15, 2018

Yet another speculative execution side-channel attack method, this one dubbed "Foreshadow," was identified by researchers from Microsoft, Intel and Red Hat this week.

Researchers notified Intel of Foreshadow, also known as the "L1 Terminal Fault" (L1TF), on Jan. 3 this year -- coincidentally, the same day that Intel and other industry players had first disclosed the speculative execution side-channel attack methods known as "Meltdown" and "Spectre." Speculative execution is normally used to improve processor speeds in processors by guessing the next steps to take, but researchers found it also could be exploited in information disclosure-types of attacks.

Only Intel Processors Affected
The L1TF attack methods potentially can affect Intel Core and Intel Xeon processors only. However, attackers need to have access to a system or they need to be able to run code on a machine for the attacks to be carried out. Fixing the vulnerability requires applying both firmware and operating system updates, which are expected to have few performance degradations for most users. The big exception, though, is that some enterprises that run virtualization security solutions could face significant system slowdowns.

AMD claimed its processors weren't affected by the L1TF attack methods, according to a statement sent by a spokesperson:

As in the case with Meltdown, we believe our processors are not susceptible to the new speculative execution attack variants called Foreshadow or Foreshadow-NG due to our hardware paging architecture protections. We are advising customers running AMD EPYC™ processors in their data centers, including in virtualized environments, to not implement Foreshadow-related software mitigations for their AMD platforms.

Specifically, the attack methods can be used to defeat Intel's Software Guard Extensions (SGX) protections in Intel processors. Here's how the Foreshadow researchers described the issue:

While it was previously believed that SGX is resilient to speculative execution attacks (such as Meltdown and Spectre), Foreshadow demonstrates how speculative execution can be exploited for reading the contents of SGX-protected memory as well as extracting the machine's private attestation key. Making things worse, due to SGX's privacy features, an attestation report cannot be linked to the identity of its signer. Thus, it only takes a single compromised SGX machine to erode trust in the entire SGX ecosystem.

In other words, organizations would be unlikely to detect that an L1TF attack had taken place.

Intel researchers subsequently found a so-called "next-generation" attack scenario that exposes information in the processor's L1 memory cache. This next-generation attack can tap "information belonging to the System Management Mode (SMM), the operating system's kernel, or hypervisor," the Foreshadow researchers explained. It's this latter scenario that potentially exposes virtual machines in multitenant "cloud computing" scenarios to information disclosure threats, they added.

There are no active exploits known as yet for the L1TF attack methods. The vulnerabilities have already been assigned common vulnerability and exposures (CVE) identification numbers, namely:

CVE-2018-3615 "for attacking SGX"
CVE-2018-3620 "for attacking the OS Kernel and SMM mode"
CVE-2018-3646 "for attacking virtual machines"

Apply Firmware and OS Updates
Intel, in its overview document, suggested that its previously released firmware updates, in combination with updates released by OS makers, add protections against L1TF attacks for most users:

The microcode updates released earlier this year when coupled with operating system and hypervisor software available from our industry partners, ensure consumers, IT professionals and cloud service providers have access to the protections they need. Intel recommends people keep their systems up to date to protect against the evolving threat landscape.

Intel found that these updates will have "no meaningful performance" effects for most PC users. However, there can be rather large performance hits for datacenters using virtualized guest operating systems after applying the fixes, according to Intel's overview document.

Microsoft concurred with Intel's conclusions and suggested in its security advisory that organizations using Hyper-V and virtualization-based security with older Windows Server systems may have to disable Intel's Hyper-Threading capability, which will degrade system performance:

For most consumer devices, we have not observed a noticeable performance impact after applying the updates. Customers that use Virtualization Based Security (VBS) or versions of Hyper-V prior to Windows Server 2016 may need to disable Hyper-Threading to fully address the risk from L1 Terminal Fault (L1TF), resulting in performance degradation. Performance impact will vary by hardware and the workloads running on the system.

HyperClear
Microsoft is claiming that its "HyperClear" technology in Hyper-V, as used in Microsoft Azure, Windows Server 2016 and later Windows Server products, is a "comprehensive mitigation to this attack." The use of HyperClear also has a "relatively negligible performance impact," Microsoft indicated, in a virtualization team post.

These protections against L1TF attack methods were added with Microsoft's August security updates, released on Aug. 14, for both Windows 10 and Windows Server 2016, according to another Microsoft blog post.

In addition to Microsoft, Linux OS vendor Red Hat offered its analysis of L1TF and the steps to take. Red Hat offered an "it depends" opinion on what enterprises using virtualization should do, adding that Red Hat and other industry players aren't disabling Intel's Hyper-Threading technology by default:

The precise impact of L1TF to Hyper-Threading depends upon the specific use case and the virtualization environment being used. In some cases, it may be possible for public cloud vendors (who have often built special purpose hardware to assist in isolation) to take steps to render Hyper-Threading safe. In other cases, such as in a traditional enterprise environment featuring untrusted guest virtual machines, it may be necessary to disable Intel Hyper-Threading. Since this varies from one use case to another, and from one environment to another, Red Hat and our peers are not disabling Intel Hyper-Threading by default. Customers should instead consult our Knowledge Base article and make the appropriate determination for their own situation.

Red Hat indicated it is shipping OS updates "that include a new interface through which customers can disable Hyper-Threading at boot time."

Free Webcast! Learn about Password Management Best Practices

Featured

Multinational Partner Cognizant Buys 25,000 Microsoft 365 Copilot Seats

IT services giant Cognizant, which already has a robust Microsoft cloud MSP business, is now also one of the biggest customers of Redmond's Copilot AI product.
In Wake of VMware Changes, Broadcom Still Struggling To Win Critics Over

Broadcom CEO Hock Tan recently shared his company's motives for controversially changing VMware licensing policies, a move that had been met by widespread backlash.
2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.
The 2024 Microsoft Product Roadmap

Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

RCP Update

Email Address*Country*

Please type the letters/numbers you see above.

Microsoft, Intel Warn of 'Foreshadow' CPU Security Attacks

Featured

Multinational Partner Cognizant Buys 25,000 Microsoft 365 Copilot Seats

In Wake of VMware Changes, Broadcom Still Struggling To Win Critics Over

2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

The 2024 Microsoft Product Roadmap

In Wake of VMware Changes, Broadcom Still Struggling To Win Critics Over

2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

Top SMB Threats Include Ransomware and Windows Server 2012: Report

Microsoft and OpenAI Continue Partnership with Supercomputer AI Datacenter

Microsoft Makes AI Push in London and Japan with Strategic Investments

In Wake of VMware Changes, Broadcom Still Struggling To Win Critics Over

2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

Top SMB Threats Include Ransomware and Windows Server 2012: Report

Microsoft and OpenAI Continue Partnership with Supercomputer AI Datacenter

Microsoft Makes AI Push in London and Japan with Strategic Investments

Partner Guides

Partner's Guide to the Windows Server 2008 Deadline

Partner's Guide to Office 365 Security Costs

Partner's Guide to UCaaS

Partner's Guide to Starter Workloads in Azure

Partner's Guide to Microsoft's Fiscal Year 2019

FREE WEBCASTS FROM OUR SPONSORS

Coffee Talk: Phishing Awareness Training 101 for Partners

Security Essentials: Empowering MSPs with Datto’s Integrated Solutions

Coffee Talk: Endpoint Security 101: Threats & Strategies SMB Partners Need to Know

Automated Intelligence: Simplifying M365 Governance for MSPs

FREE WHITE PAPERS FROM OUR SPONSORS

A guide to zero trust for MSPs

Microsoft CSP Guide

10 Reasons to Bundle Security with your Managed Services

Battling Business Email Compromise