Newly-revealed flaws in some Intel chips could make virtualised systems vulnerable.
The Foreshadow and Foreshadow-NG flaws could manifest in Intel Core and Xeon processors released after 2015, running on third-party clouds.
Intel has released patches, and it’s reported that cloud providers are addressing the issue.
Leslie Culbertson, executive vice-president and GM of product assurance and security at Intel, yesterday released a statement about the recently-identified speculative execution side-channel method, L1 Terminal Fault (L1TF).
“This method affects select microprocessor products supporting Intel Software Guard Extensions (Intel SGX),” she states. “Our security team has identified two related applications of L1TF with the potential to impact other microprocessors, operating systems and virtualisation software.”
She says that microcode updates (MCUs) released earlier this year are a component of the mitigation strategy for all three applications of L1TF. “When coupled with corresponding updates to operating system and hypervisor software released starting today by our industry partners and the open source community, these updates help ensure that consumers, IT professionals and cloud service providers have access to the protections they need.”
L1TF is also addressed by changes Intel is making at the hardware level, and started with its next-generation Intel Xeon Scalable processors, as well as new client processors expected to launch later this year.
“We are not aware of reports that any of these methods have been used in real-world exploits, but this further underscores the need for everyone to adhere to security best practices. This includes keeping systems up-to-date and taking steps to prevent malware.”
Culbertson explains that all three applications of L1TF are speculative execution side channel cache timing vulnerabilities, similar to previously reported variants.
These particular methods target access to the L1 data cache, a small pool of memory within each processor core designed to store information about what the processor core is most likely to do next.
The microcode updates released earlier this year provide a way for system software to clear this shared cache, but some users – specifically those running traditional virtualisation technology in the data centre – should take additional steps to protect their systems.
“This is principally to safeguard against situations where the IT administrator or cloud provider cannot guarantee that all virtualised operating systems have been updated,” she says. “These actions may include enabling specific hypervisor core scheduling features or choosing not to use hyper-threading in some specific scenarios.”