A flaw in Intel’s Software Guard Extensions implementation allows an attacker to access data stored in memory of other applications running on the same host, without the need for privilege escalation.
Background
Researchers discovered a flaw in Intel’s Software Guard Extensions (SGX) implementation that opens up a new speculative execution attack called Foreshadow (CVE-2018-3615). In addition, Intel has discovered variants allowing for Foreshadow attacks against microprocessors, system management mode (SMM) code, operating systems and Hypervisor software. These variants have been dubbed Foreshadow-NG (CVE-2018-3620 and CVE-2018-3646).
Collectively, Intel has labeled all of the speculative execution side channel vulnerabilities as L1 Terminal Faults (L1TF). Red Hat Enterprise Linux, Microsoft and other vendors have adopted this name for Foreshadow and Foreshadow-NG.
Vulnerability details
Foreshadow allows an attacker to access the data stored in memory of other applications running on the same host without needing any privilege escalation. This enables the attacker to gain access to sensitive files, data, passwords, keys, etc. The proof-of-concept code for Foreshadow has not been released and researchers suspect there wouldn’t be a way to detect exploitation, should it happen.
Foreshadow-NG allows an attacker to access memory on any Virtual Machine hosted on the same cloud, making it a high-severity issue. According to the Foreshadow researcher’s abstract: “Foreshadow-NG is the first transient execution attack that fully escapes the virtual memory sandbox.” This also includes cloud environments, which could potentially mean asset owners are at risk from their digital neighbors. To make matters worse, the way SGX has been implemented, a single SGX-compromised machine can result in the entire ecosystem becoming tainted.
Based on the information currently available, AMD/ARM-based processors are believed to be unaffected by this flaw, as they don’t implement SGX.
Urgently required actions
We highly recommend reviewing and installing security updates from your operating system and virtualization vendors. Microsoft and Red Hat have released updates to mitigate the flaws in multiple ways and to different extents. These approaches include flushing of sensitive data, rendering sensitive data inaccessible, enhancing isolation between virtual processors and other strategies.
Identifying affected systems
Plugin ID | Description |
KB4343885: Windows 10 Version 1703 August 2018 Security Update (Foreshadow) | |
KB4343887: Windows 10 Version 1607 and Windows Server 2016 August 2018 Security Update (Foreshadow) | |
KB4343892: Windows 10 August 2018 Security Update (Foreshadow) | |
KB4343897: Windows 10 Version 1709 August 2018 Security Update (Foreshadow) | |
KB4343888: Windows 8.1 and Windows Server 2012 R2 August 2018 Security Update (Foreshadow) | |
KB4343899: Windows 7 and Windows Server 2008 R2 August 2018 Security Update (Foreshadow) | |
KB4343896: Windows Server 2012 August 2018 Security Update (Foreshadow) | |
KB4343909: Windows 10 Version 1803 August 2018 Security Update (Foreshadow) | |
Security Updates for Windows Server 2008 (August 2018) (Foreshadow) |
Learn more:
- Foreshadow Publication
- Red Hat Advisory
- Microsoft Advisory
- Intel Advisory
- Cisco Advisory
Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.