FacebookTwitterLinkedIn

Foreshadow: What you need to know

Karolis Liucveikis Written by on (updated)

The start of the year seemed to open with a bang on the cybersecurity news front. The Spectre and Meltdown vulnerabilities made headlines with fears that they could be as bad, if not worse, than the previous Heartbleed vulnerability that made its mark on CPUs previously. Since then every now and then news trickles in of a researcher having been able to exploit those vulnerabilities in slightly new ways. On August 14, 2018, news broke that researchers had discovered another vulnerability affecting Intel processors. The researchers who discovered the vulnerability have called it Foreshadow and have set up a website where users can gain more information including the paper they published.

Currently, two research teams independently discovered the Foreshadow vulnerability and the L1 Terminal Fault vulnerability. A team from KU Leuven, a university in Belgium, informed Intel of its findings on January 3, the day when the now infamous Spectre and Meltdown vulnerabilities were disclosed to the public. The second team, comprising researchers from Israel-based Technion, University of Michigan, the University of Adelaide in Australia, and Australia-based CSIRO's Data61, reported its findings to Intel on January 23.

Since their discovery they have been given the CVE numbers: CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).

foreshadow what you need to know

It has been the vulnerability which affects Intel’s Software Guard Extension that has garnered the most media attention. Researchers first discovered the vulnerability affecting SGX, a feature in Intel processors designed to protect user data even if an attacker takes control of the entire system. SGX was believed to be resilient to speculative execution attacks, but experts have now demonstrated that an attacker can read memory protected by SGX. The researchers further explained,

“Making things worse, due to SGX’s privacy features, an attestation report cannot be linked to the identity of its signer. Thus, it only takes a single compromised SGX machine to erode trust in the entire SGX ecosystem,”

This would enable the would-be attacker the capability of reading information stored in other virtual machines running on the same third-party cloud, presenting a risk to cloud infrastructure. In some cases and under the right conditions, might bypass previous mitigations against speculative execution attacks, including countermeasures to Meltdown and Spectre.

Intel’s Response and Analysis

Researcher’s at Intel appear to have taken the news incredibly seriously and have conducted their own research to help protect its massive client base. According to Intel, a malicious application installed on the targeted system can deduce data values from the operating system or other apps. Exploitation of the flaws can also allow a malicious guest VM to obtain data in the memory of the virtual machine manager (VMM) or another guest VMs. Intel further pointed out that the Foreshadow vulnerabilities allow malicious software to obtain data from the SMM memory. Malware running outside or within an SGX enclave may be able to access data from another SGX enclave.

Shortly after the news broke Intel was quick to issue a press statement explaining both the vulnerabilities and their plans to mitigate them. In the statement, the chip giant was quick to point out that,

“We are not aware of reports that any of these methods have been used in real-world exploits, but this further underscores the need for everyone to adhere to security best practices. This includes keeping systems up-to-date and taking steps to prevent malware.”

Further, the company and other tech giants have released updates to prevent exploitation in the wild. In the above-mentioned statement, the company stated that the update once installed,

“…we expect the risk to consumer and enterprise users running non-virtualized operating systems will be low. This includes most of the data center installed base and the vast majority of PC clients. In these cases, we haven’t seen any meaningful performance impact from the above mitigations based on the benchmarks we’ve run on our test systems.”

Further, for those enterprises running virtualized operating systems, Intel advises that further security measures be taken. These include,

“…enabling specific hypervisor core scheduling features or choosing not to use hyper-threading in some specific scenarios. While these additional steps might be applicable to a relatively small portion of the market, we think it’s important to provide solutions for all our customers.”

Microsoft offers further advice

Many major corporations have been assisting their client bases with information on how to mitigate the vulnerability. Companies like Cisco and Microsoft were quick to issue advisories. In the advisory issued by Microsoft the tech giant warned users that customers using Windows client operating systems with affected Intel processors may need to apply both firmware (Microcode) and software updates, depending on how the system is configured. Those updates on supported versions of the Windows kernel and Hyper-V hypervisor will automatically enforce a method to mitigate two key methods an attacker could use L1TF, related to the way each handle page table entries. However, administrators should be aware that those mitigations need to be manually enabled on Windows Server.

For the average user, it is important to keep their system up to date as this will mitigate the vulnerability. However, those in charge of Windows Server operations may need to do a lot more than simply update. In a technical blog post Matt Miller from Microsoft's security response center explain in detail what administrators and other IT professionals should do to mitigate the vulnerabilities.

All in all, it would appear that the industries response to the problem can be seen as fantastic as many companies working together to find a solution. This may go down as one of the best examples of the vulnerability reporting procedure to date. While companies have been on the ball it is advised that users to follow suit and ensure all August updates have been installed.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog