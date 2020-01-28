Another vulnerability has been discovered in Intel CPUs. Again, Intel CPUs appear to be prey to a speculative execution attack, but software and hardware patches of the previous generation have not addressed this specific vulnerability. The researchers who discovered the vulnerability ‘L1D Eviction Sampling’ have called it CacheOut, because the abused side channel is in the cache mechanism of the CPU.

Before we continue, it is worth noting that Intel CPUs released before SkyLake and after Q4 2018 are not vulnerable to CacheOut. According to the researchers, AMD processors are not affected. IBM and ARM processors can be affected but fall outside the scope of the article.

Intel has previously made efforts to limit the chance of side-cannel attacks and hackers ‘drinking from the data firehose’ by overwriting data buffers in the CPU. However, CacheOut is a new Microarchitectural Data Sampling (MDS) technology that can bypass these countermeasures.

Researchers from the University of Michigan and the University of Adelaide noted that “because data is removed from the L1 cache of the CPU, it is often sent back to the leaking CPU buffers where it can be recovered by the attacker.” An attractive aspect of CacheOut for hackers is that it offers the possibility to choose which data should leak from the L1 cache of the CPU, and which part of a cache line should leak. The researchers have demonstrated that it is possible to “leak information across multiple security boundaries, including that between hyperthreads, processes, and virtual machines, and between user space and the kernel of the operating system, and from SGX enclaves.” Intel has classified CacheOut or L1D Eviction Sampling / CVE-2020-0549 / INTEL-SA-00329 as a vulnerability of average severity level 6.5.

The security investigators contacted Intel last year before making their investigation public. This helped Intel prepare patches and cloud providers have already taken countermeasures against the error. Disabling hyperthreading or disabling TSX in Intel processors can temporarily reduce the error. However, Intel says it expects microcode updates for affected processors in the near future.