Three new Spectre-style flaws revealed that affect Intel chips

Intel has disclosed three new security flaws affecting its processors, which exploit speculative executions and side-channel memory in a similar way to Meltdown and Spectre.

The three new flaws are all variants of one vulnerability, which has been dubbed 'Foreshadow' by the security researchers who discovered it and is referred to by Intel as L1 Terminal Fault (L1TF).

CVE-2018-3615 affects Software Guard Extensions (SGX), CVE-2018-3620 relates to system memory managers (SMM) and operating systems, and CVE-2018-3620 affects virtual machines and hypervisors.

"When a program attempts to access data in memory, the logical memory address is translated to a physical address by the hardware," Intel's white paper on the issue said. "Accessing a logical or linear address that is not mapped to a physical location on the hardware will result in a terminal fault."

"Once the fault is triggered, there is a gap before resolution where the processor will use speculative execution to try to load data. During this time, the processor could speculatively access the level 1 data cache (L1D), potentially allowing side-channel methods to infer information that would otherwise be protected."

All classes of Intel's CPUs are affected, from desktop chips all the way up to high-performance server components. Critically, Foreshadow also affects the servers on which multi-tenant cloud services are hosted, meaning that customers of cloud providers are also at risk.

Like Meltdown and Spectre before it, Foreshadow exploits a feature of processors known as speculative execution, which relates to the page tables of a processor's physical memory. Page tables define which areas of RAM are dedicated to which currently-running processes or applications.

In theory, when an application requests to access this area of RAM, the processor should consult the page tables to identify whether or not the request is valid. However, in order to speed up performance, modern processors will execute the request based on the data that is stored in its L1 cache memory before the validity of the request can be confirmed in the page table.

Hackers can exploit this by using malware running on the same physical CPU core to mark certain entries in the page table as invalid and then reading the data that is speculatively fetched from the L1 cache - which can include passwords, encryption keys and assorted personal data.

Because this flaw also affects servers which use virtualisation, cloud services are also at risk. If a malicious VM is running on the same physical CPU core as another customer's VM, this technique can be exploited to steal information from that VM.

The microcode patches that Intel released earlier in the year to address Meltdown and Spectre, combined with operating system and hypervisor patches, will be used to address all three vulnerabilities. The big three cloud providers - AWS, Microsoft Azure and Google Cloud - have also put measures in place to mitigate the impact of Foreshadow, but Red Hat has warned that one of the recommended mitigation measures - disabling hyper-threading - can have a notable impact on performance and availability, with losses in the region of 30% and 50%, respectively.

The forthcoming generation of Intel processors, starting with the upcoming 'Cascade Lake' Xeon Scalable processors, will also address Meltdown, Spectre and Foreshadow at the hardware level.

Intel has stated that it is "not aware of reports that any of these methods have been used in real-world exploits", but reminded customers to adhere to best practices and apply all available patches.