Researchers at the University of Michigan, VUSec and University of Adelaide revealed a new attack they dubbed CacheOut yesterday. The speculative execution attack "is capable of leaking data from Intel CPUs across many security boundaries," according to the researchers, and it offers better targeting than previous attacks of its type.
CacheOut was purportedly inspired by previous speculative execution attacks like Spectre and Meltdown. Its reach extends further than those attacks, however, because it can bypass the hardware-based safeguards implemented by Intel in response to Meltdown's discovery. It can also be used to extract specific data.
The researchers said they "empirically demonstrate that CacheOut can violate nearly every hardware-based security domain, leaking data from the OS kernel, co-resident virtual machines, and even SGX enclaves" in their paper. Intel released microcode updates, and explained how to mitigate the attack on the OS level, in response.
So who's affected? The researchers said that anyone who owns an Intel processor released before the fourth quarter of 2018 is probably affected by CacheOut. (The company "inadvertently managed to partially mitigate this issue while addressing a previous issue," they said.) Intel published a list of affected processors on its website.
More information about CacheOut can be found in the researchers' paper (PDF). Intel offered additional details in a security advisory on its website, too, and the vulnerability exploited by this attack was given the National Vulnerability Database identifier of CVE-2020-0549. It's not believed to have been exploited in the wild.
Intel responded to our request for comment, stating:
"“Since May 2019, starting with Microarchitectural Data Sampling (MDS), and then in November with TAA, we and our system software partners have released mitigations that have cumulatively and substantially reduced the overall attack surface for these types of issues. We continue to conduct research in this area – internally, and in conjunction with the external research community.
More information can be found at https://blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/.”"
ZombieLoad Rises Again
CacheOut appears to be related to the ZombieLoad attack that Intel attempted to address with patches for its processors in early 2019. The researchers who discovered ZombieLoad said on January 27 that more information about a previously embargoed side effect of their attack was available via the Intel Security Advisory and CVE-2020-0549 listing that were cited by the CacheOut researchers.
Here's part of the update from ZombieLoad's researchers:
"On January 27th, 2020, an embargo ended showing that the mitigations against MDS attacks released in May 2019 are insufficient. With L1D Eviction Sampling, an attacker can still mount ZombieLoad to leak data that is being evicted from the L1D cache.
"We disclosed this issue to Intel on May 16th, 2019. However, as microcode updates containing the necessary fixes are not yet available, we are not releasing any proof-of-concept code."
The researchers said additional information about this new attack can be found in the final version of their paper (PDF). While the new CacheOut branding might make this attack seem totally new, it seems like ZombieLoad actually copied its namesake in rising from the dead to continue to munch on the sweet, sweet brains of our PCs.