Intel's chips have faced an onslaught of new vulnerabilities discovered by crafty researchers, and today finds the company facing yet another new flaw, Load Value Injection (LVI), that a press release from Bitdefender describes as "particularly devastating" for servers in the data center. LVI impacts all Core families spanning from the third-generation Ivy Bridge chips to the 10th-generation Comet Lake processors.
According to statements from the researchers to ZDNet, the attack builds upon the Meltdown vulnerabilities that Intel already patched in software, but the LVI still works on systems with the requisite software fixes. As such, Intel will reportedly need to employ hardware fixes to fully block the LVI attack vector.
According to experimental fixes employed by the researchers, performance reductions from potential mitigations could vary from 2x to 19x based upon workload, but that could be offset with hardware-based fixes in new silicon.
Here is a quick breakdown (video):
Notably, the vulnerability (CVE-2020-0551) is said to "allow attackers to inject rogue values into certain microarchitectural structures, which are then used by the victim, which may lead to revealing secrets." This allows for data theft, but can purportedly reveal encryption or passwords kept in memory, which could then allow an attacker to assume control of the target machine.
The researchers contend the attack, which requires slipping data into the SGX Enclave, could theoretically be executed via JavaScript. That means physical access to the machine isn't required, but the researchers haven't tested that attack vector yet. For multi-tenant environments, like those found in cloud-based instances, the attack could allow eavesdropping on neighboring instances. However, the researchers also note that the vulnerability is extremely hard to exploit, meaning it isn't an imminent threat to the majority of users.
Intel has published a full analysis of the LVI flaw, stating that "Due to the numerous, complex requirements that must be satisfied to implement the LVI method successfully, LVI is not a practical exploit in real-world environments where the OS and VMM are trusted[..] Accordingly, system administrators and application developers should carefully consider the particular threat model applicable to their systems when deciding whether and where to mitigate LVI."
The flaw was discovered by Bitdefender and verified by a team of researchers that have exposed major flaws in Intel, AMD, ARM, and IBM architectures in the past. Bitdefender then created a synthetic proof of concept that it posted to GitHub. The researchers were funded by Intel, AMD, and ARM.
Bitdefender claims it shared the attack with Intel on Feb 10, 2020. The company also claims that existing mitigations for Meltdown, Spectre, and MDS are insufficient for mitigating the new flaw and that a full fix currently requires disabling hyper-threading or purchasing new hardware with in-silicon fixes. For now, that consists of the Ice Lake family and Atom processors that don't fall into the Silvermont and Airmont families.
Intel provided us with the following statements regarding the LV1 vulnerabilities:
Load Value Injection Statement: “Researchers have identified a new mechanism referred to as Load Value Injection (LVI). Due to the numerous complex requirements that must be satisfied to successfully carry out, Intel does not believe LVI is a practical method in real world environments where the OS and VMM are trusted. New mitigation guidance and tools for LVI are available now and work in conjunction with previously released mitigations to substantively reduce the overall attack surface. We thank the researchers who worked with us, and our industry partners for their contributions on the coordinated disclosure of this issue.”
Statement Specific to SGX: “To mitigate the potential exploits of Load Value Injection (LVI) on platforms and applications utilizing Intel SGX, Intel is releasing updates to the SGX Platform Software and SDK starting today. The Intel SGX SDK includes guidance on how to mitigate LVI for Intel SGX application developers. Intel has likewise worked with our industry partners to make application compiler options available and will conduct an SGX TCB Recovery. Refer to the Intel SGX Attestation Technical Details for more information.”