vSOC SPOT Report: Foreshadow
Posted by: GuidePoint Security
Overview
On August 15th, 2018 a set of vulnerabilities were released publicly by two independent research teams which were given the codename “Foreshadow.” They are in the same family as other microcode vulnerabilities such as Spectre/Meltdown variants.
Foreshadow is part of the Intel speculative execution side channel vulnerabilities labeled “L1 Terminal Fault” (L1TF) impacting certain Intel hardware as well as various operating systems that will require patching in order to assist in mitigation. Foreshadow is divided into two separate vulnerabilities with the first version targeting SGX enclaves and the second version targeting Virtual Machines, hypervisors, operation systems, kernel memory, and system management mode memory impacting a much larger system base.
Technical Overview
Foreshadow is a speculative execution attack against Intel processors and falls into the same family as the Spectre/Meltdown vulnerabilities discovered at the beginning of the year. Foreshadow has two different versions. The first version targets and extracts data from SGX enclaves. The second, Next-Generation version impacts a large range of systems including virtual machines, hypervisors, operating systems’ kernel memory, and system management mode memory.
The first version of the vulnerability targets SGX, which is a feature within modern Intel processors that protects user’s data when the system comes under attack. Foreshadow vulnerability CVE-2018-3615 shows an attacker can gain the ability to read entire memory contents from the SGX enclave, a critical component of Intel’s implementation of the Trusted Computing Base.
The second version is being dubbed Foreshadow-NG and impacts CVE-2018-3620, which pertains to OS Kernel and SMM Mode, and CVE-2018-3646, pertaining to Virtual Machines. Foreshadow-NG is used to extract information from the L1 cache which could include sensitive information from within the SMM, OS Kernel, or the VM itself.
The biggest issue with Foreshadow as a whole is it remains untraceable in typical log files, thus making it much harder to detect if a system has been compromised.
Potential Impact
The impact of Foreshadow may allow information residing in the L1 data cache to be disclosed to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis. In cloud environments such as AWS or Azure, this could mean that an unauthorized individual is able to gain access to systems residing in the same space as another compromised VM.
The confirmed Intel processors that are impacted by this particular vulnerability are mainly SGX-enabled Core processors (Skylake and Kaby Lake families). A full list of impacted processors can be found on Intel’s advisory regarding this vulnerability:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
What You Should Do
At this time the best mitigation is to apply any and all missing security patches to impacted systems where possible. A second precaution is to evaluate whether disabling hyper-threading is an option within the environment, but note the performance impact may cause a large business risk and thus may not be possible.
It is currently worth noting that similar vulnerabilities are expected to be announced that will be similar to Spectre, Meltdown, and Foreshadow. The best course of action currently is to continue to balance the need to patch and secure the devices with the performance levels of systems that could be impacted.
Supporting Information
- https://kb.vmware.com/s/article/55806
- https://www.zdnet.com/article/microsoft-heres-how-to-limit-foreshadow-attack-impact/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
- https://foreshadowattack.eu/
Contributing Authors
- Sam Harris, vSOC Program Manager
- Eric Ford, vSOC Analyst
- Dave Farquhar, vSOC Program Manager
GuidePoint Security