Image: Intel

Earlier this week, researchers with the University of Michigan, University of Adelaide, and Data61 uncovered yet another speculative execution attack affecting Intel CPUs: “CacheOut.” This new vulnerability, which lets attackers trigger selective data leaks by exploiting a processor’s cache eviction feature, is serious enough to violate “nearly every hardware-based security domain, leaking data from the OS kernel, co-resident virtual machines, and even SGX enclaves.”

Intel has a list of processors that are definitely affected, but researchers suggest that there could be quite a few more (“every Intel CPU released before Q4 2018”). While some of the company’s microcode updates mitigate CacheOut to some extent, Intel has announced that it is preparing stronger fixes for it and two related vulnerabilities, ZombieLoad and RIDL. According to an update on the former’s site, Intel’s initial mitigations weren’t good enough.

“On January 27th, 2020, an embargo ended showing that the mitigations against MDS attacks released in May 2019 are insufficient. With L1D Eviction Sampling, an attacker can still mount ZombieLoad to leak data that is being evicted from the L1D cache.”

“We disclosed this issue to Intel on May 16th, 2019. However, as microcode updates containing the necessary fixes are not yet available, we are not releasing any proof-of-concept code.”

Intel says that it is still conducting research, but the new mitigations should be available “in the near future.” The CacheOut flaw, which is being tracked as CVE-2020-0549, has been given a severity score of 6.5 (medium).

Don’t Miss Out on More FPS Review Content!

Our weekly newsletter includes a recap of our reviews and a run down of the most popular tech news that we published.

Join the Conversation

3 Comments

  1. Thanks for working on a new fix. How about you stop taking security as a second thought to performance mmmkay?

  2. Wow.

    It’s just one after another.

    Has anyone done a good performance review comparing initial launch performance of Intel CPU’s, and then trended it over time as patch upon patch against speculative hardware attacks pile up?

    Would be interesting to see just how much performance has been hit.

  3. [QUOTE=”Zarathustra, post: 9823, member: 203″]
    Wow.

    It’s just one after another.

    Has anyone done a good performance review comparing initial launch performance of Intel CPU’s, and then trended it over time as patch upon patch against speculative hardware attacks pile up?

    Would be interesting to see just how much performance has been hit.
    [/QUOTE]
    Bulldozer territory?

Leave a comment