Skip to main content

Intel Reveals TAA Vulnerabilities in Cascade Lake Chips and a New JCC Bug

(Image credit: Intel)

Intel announced in May a Microarchitectural Data Sampling (MDS) problem that attackers could exploit to extract information from its processors despite their built-in safeguards. Today it revealed that MDS was an even bigger problem than many people realized by announcing a new TSX Asynchronous Abort (TAA) vulnerability. Intel also disclosed a new Jump Conditional Code (JCC) erratum today and released a patch that does have a performance impact (which we'll cover further below). 

Only the researchers who discovered both security flaws said there's nothing new about TAA--they claimed to have disclosed the vulnerability to Intel over a year ago, but is just now seeing the light of day to the public.

A quick refresher on MDS: we said in May that it's "a speculative execution side-channel attack that may allow malicious actors to locally execute code to extract sensitive data that would otherwise be protected by Intel processors’ architectural mechanisms." The vulnerabilities affected basically every Intel processor--with the notable exception of those based on the company's Whiskey Lake, Atom, and Knights architectures--released between 2011 and 2018.

Intel said at the time that it would take significant changes to various operating systems and other core parts of PC software to fully address the MDS vulnerabilities. In the meantime, it recommended disabling Hyper-Threading, continuing the trend of side-channel attacks worsening Intel's simultaneous multi-threading technology. We found that its mitigations for the MDL vulnerabilities (among others) also had a significant effect on the performance of SSDs used by systems featuring Intel CPUs.

VUSec, CISPA, and other security organizations shared more information about MDS, TAA and related vulnerabilities on the "MDS Attacks" website. The groups said they disclosed the MDS flaw and TAA vulnerability to Intel in September 2018. Because they coordinated the public disclosure of those issues with Intel, they didn't say anything until May, but it turns out that even then they couldn't offer full details about the vulnerabilities or Intel's response to them to the public until today.

Today's update to MDS Attacks revealed TAA, alignment faults that give "an attacker yet another way of leaking data" in all but the most recent Intel processors, flawed MDS mitigations, and a new RIDL test suite that can be found on GitHub. The organizations also said in their TL;DR that "an attacker can mount a RIDL attack despite the in-silicon mitigations/microcode patches published in May 2019 being in place." (Which is the kind of TL;DR that makes people actually want to read more.)

Intel also revealed that TAA affects even more processors than the MDS vulnerabilities it shared in May. In the "Deep Dive: Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort" report it published today, the company said that certain Whiskey Lake, Cascade Lake, and Coffee Lake R processors that support its Intel TSX technology are affected by this vulnerability. That means even the company's latest processors aren't safe from these issues.

The company said, "malicious application software executed by an authenticated user may be able to infer the values of data accessed on the same physical core" by exploiting TAA. That means they could glean information about:

  • Other applications
  • Operating System (OS)
  • System Management Mode (SMM)
  • Intel Software Guard Extensions (Intel SGX) enclaves
  • Virtual Machine Manager (VMM) if present
  • Other guests running under the same VMM

More information about TAA is available via Intel's website and MDS Attacks. 

But Wait, There's More!

The new TAA vulnerabilities weren't the only flaw affecting Intel processors revealed today. Phoronix reported on Jump Conditional Code (JCC) erratum affecting CPUs based on the Skylake architecture and its descendants. This is said to be "a bug involving the CPU's Decoded ICache" that meant "unpredictable behavior could happen when jump instructions cross cache lines." Intel released microcode updates to address the flaw, but unsurprisingly, that affected performance.

Phoronix said that "Intel's official guidance coming out today states their observed performance effects from this microcode update to be in the range of 0~4%" with some outliers. The outlet's benchmarks showed that the "microcode update does cause a hit of generally up to a couple percent," but with the caveat that in "select real-world workloads the impact is greater." Check out the full report for more info.

  • Blitz Hacker
    Wow.. Rip Intel share holders for Q4 of 2019. Intels financial reports are starting to closely resemble mine irl :P Pretty sure this isn't response intel wanted to the 3950x /2960tr/2070tr AMD release. What a year for cpu's
    Reply
  • hotaru251
    tbh I need to build a new PC (system is showing its age now)

    I have always been Intel for CPU (gpu i a few times went amd).

    But idk if I am going to stay with them as it just seems they have unfixable (and no disabling HT is NOT fixing..thats literally tossing reason you buy a HT cpu out window) stuff liek this pop up frequently (enough).

    AMD does have issues with their CPU's, but they seem to actually make it a priority 1 and fix it...where as intel is "we'll get around to it sometime"
    Reply
  • cryoburner
    Most likely, they had the fixes ready a year ago, but didn't make them publicly available so that interested parties could get a year's worth of use out of them first. They probably don't need this one anymore though, as they have another to replace it with that won't get patched for another year. >_>
    Reply
  • DookieDraws
    Seems we're hearing of this way too much.
    Reply
  • Olle P
    Blitz Hacker said:
    ... Intels financial reports are starting to closely resemble mine irl :p ...
    Your income goes up too?
    Vulnerabilities with fixes that reduce the performance are mitigated by buying more CPUs to make up for the loss in processing power. Intel will thus sell more high end Xeons as a result of this!

    Over time more companies will switch to AMD though, but it will take a couple of years to do that transfer.
    Reply
  • jgraham11
    They knew about it in September of 2018... So Intel again released the recent Cascade Lake CPUs and Coffee Lake CPUs with full knowledge of this vulnerability. Class action lawsuit anyone???

    We've got to come up with a catchy name: I'm thinking "Kiss Intel bug" pronounced "Kiss 'n Tell bug". Any other thoughts?
    Reply
  • bit_user
    jgraham11 said:
    They knew about it in September of 2018... So Intel again released the recent Cascade Lake CPUs and Coffee Lake CPUs with full knowledge of this vulnerability. Class action lawsuit anyone???
    This is an interesting point. If you have a CPU you're about to release, and you make claims about its performance, knowing those claims will soon be invalidated when people start running with the mitigation they'll need for an undisclosed security vulnerability, what's the legal exposure?

    It seems like being caught between a rock and a hard place, since the vulnerability announcement was presumably being delayed so their partners could get the BIOS and other software ready with the mitigation. So, I guess you'd either have to hold back the launch (but what if there are yet more vulnerabilities in the pipeline?), not make any performance claims, or just quote the performance with mitigations for "all known vulnerabilities", including undisclosed ones.
    Reply
  • cryoburner
    bit_user said:
    It seems like being caught between a rock and a hard place, since the vulnerability announcement was presumably being delayed so their partners could get the BIOS and other software ready with the mitigation.
    Should that really take 14 months though? >_>
    Reply
  • Olle P
    bit_user said:
    This is an interesting point. If you have a CPU you're about to release, and you make claims about its performance, knowing those claims will soon be invalidated... for an undisclosed security vulnerability, what's the legal exposure?
    I don't think the computing performance is an issue at all, compared to the issue of releasing the CPU without disclosing the known vulnerability!

    What if it was a car with a safety issue known to the manufacturer but undisclosed to the public?
    Reply
  • bit_user
    Olle P said:
    What if it was a car with a safety issue known to the manufacturer but undisclosed to the public?
    Automotive "recalls" are fairly common. I doubt if they often hold the launch of a vehicle due to recalls, unless they're ones that would be very expensive to fix in the field. If it's a safety recall, then they would just ensure that dealers install the fix before any customers take delivery.
    Reply