Foreshadow: Speculative Execution Attack Targets Intel SGX
A flaw in Intel’s Software Guard Extensions implementation allows an attacker to access data stored in memory of other applications running on the same host, without the need for privilege escalation.
Background
Researchers discovered a flaw in Intel’s Software Guard Extensions (SGX) implementation that opens up a new speculative execution attack called Foreshadow (CVE-2018-3615). In addition, Intel has discovered variants allowing for Foreshadow attacks against microprocessors, system management mode (SMM) code, operating systems and Hypervisor software. These variants have been dubbed Foreshadow-NG (CVE-2018-3620 and CVE-2018-3646).
Collectively, Intel has labeled all of the speculative execution side channel vulnerabilities as L1 Terminal Faults (L1TF). Red Hat Enterprise Linux, Microsoft and other vendors have adopted this name for Foreshadow and Foreshadow-NG.
Vulnerability details
Foreshadow allows an attacker to access the data stored in memory of other applications running on the same host without needing any privilege escalation. This enables the attacker to gain access to sensitive files, data, passwords, keys, etc. The proof-of-concept code for Foreshadow has not been released and researchers suspect there wouldn’t be a way to detect exploitation, should it happen.
Foreshadow-NG allows an attacker to access memory on any Virtual Machine hosted on the same cloud, making it a high-severity issue. According to the Foreshadow researcher’s abstract: “Foreshadow-NG is the first transient execution attack that fully escapes the virtual memory sandbox.” This also includes cloud environments, which could potentially mean asset owners are at risk from their digital neighbors. To make matters worse, the way SGX has been implemented, a single SGX-compromised machine can result in the entire ecosystem becoming tainted.
Based on the information currently available, AMD/ARM-based processors are believed to be unaffected by this flaw, as they don’t implement SGX.
Urgently required actions
We highly recommend reviewing and installing security updates from your operating system and virtualization vendors. Microsoft and Red Hat have released updates to mitigate the flaws in multiple ways and to different extents. These approaches include flushing of sensitive data, rendering sensitive data inaccessible, enhancing isolation between virtual processors and other strategies.
Identifying affected systems
A live list of plugins can be found here. As new plugins are developed for respective systems, that list will update.
Learn more:
Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Related Articles
Do You Think You Have No AI Exposures? Think Again
August 6, 2024As AI usage becomes more prevalent in organizations globally, security teams must get full visibility into these applications. Building a comprehensive inventory of AI applications in your environment is a first step. Read on to learn what we found about AI application-usage in the real world when we analyzed anonymized telemetry data from scans using Tenable’s products.
Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach
August 6, 2024As AI transforms industries, security remains critical. Discover the importance of a security-first approach in AI development, the risks of open-source tools, and how Tenable's solutions can help protect your systems.
CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package
September 16, 2024Tenable Research discovered a remote code execution (RCE) vulnerability in Google Cloud Platform (GCP) that is now fixed and that we dubbed CloudImposer. The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool. Tenable Research also found risky guidance in GCP documentation that customers should be aware of.
Cybersecurity Snapshot: Russia-backed Hackers Aim at Critical Infrastructure Orgs, as Crypto Fraud Balloons
September 13, 2024Critical infrastructure operators must beware of Russian military hacking groups. Plus, cyber scammers are having a field day with crypto fraud. Meanwhile, AI and cloud vendors face stricter reporting regulations in the U.S. And get the latest on AI-model risk management and on cybersecurity understaffing!
Microsoft’s September 2024 Patch Tuesday Addresses 79 CVEs (CVE-2024-43491)
September 10, 2024Microsoft addresses 79 CVEs with seven critical vulnerabilities and four zero-day vulnerabilities, including three that were exploited in the wild.
- Plugins