{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2018-020.pdf"
    },
    "title": "Speculative Execution Attack on Intel Processors",
    "serial_number": "2018-020",
    "publish_date": "17-08-2018 08:04:00",
    "description": "In January 2018, two separate teams discovered flaws in Intel processor<br>allowing speculative execution attacks and notified Intel of their researches. On 14th of August 2018, the vulnerabilities were disclosed publicly under the name Foreshadow. Based on the provided technical details Intel investigated further and identified two other attack channel with the potential to impact additional microprocessors, operating systems, system management mode, and virtualization software.",
    "url_title": "2018-020",
    "content_markdown": "---\ntitle: 'Speculative Execution Attack on\u00a0Intel\u00a0Processors'\nversion: '1.0'\nnumber: '2018-020'\ndate: 'August 16, 2018'\n---\n\n_History:_\n\n* _16/08/2018 --- v1.0: Initial publication_\n\n# Summary\n\nIn January 2018, two separate teams discovered flaws in Intel processor allowing speculative execution attacks and notified Intel of their researches [1]. On 14th of August 2018, the vulnerabilities were disclosed publicly under the name **Foreshadow** [2].\n\nBased on the provided technical details Intel investigated further and identified two other attack channel with the potential to impact additional microprocessors, operating systems, system management mode, and virtualization software [3].\n\nIntel published a security advisory providing guidance to mitigate these issues [3].\n\n# Technical Details\n\nThe three vulnerabilities received CVEs:\n\n - CVE-2018-3615 - L1 Terminal Fault: SGX\n - CVE-2018-3620 - L1 Terminal Fault: OS/SMM\n - CVE-2018-3646 - L1 Terminal Fault: VMM\n\nThese three vulnerabilities may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user authorization.\n\nL1 Terminal Fault (L1TF) happens because of a CPU optimization on page table walk. By exploiting terminal page fault exception on vulnerable CPUs, an attacker can initiate a read and forward from the L1 cache data, leading to disclosure of the data stored in the physical address referenced by the virtual address if it exist in the L1 data cache.\n\n# Products Affected\n\nAll operating systems or equipments running on the following processor may be affected by the vulnerabilities:\n\n - Intel\u00ae CoreTM i3 processor (45nm and 32nm)\n - Intel\u00ae CoreTM i5 processor (45nm and 32nm)\n - Intel\u00ae CoreTM i7 processor (45nm and 32nm)\n - Intel\u00ae CoreTM M processor family (45nm and 32nm)\n - 2nd generation Intel\u00ae CoreTM processors\n - 3rd generation Intel\u00ae CoreTM processors\n - 4th generation Intel\u00ae CoreTM processors\n - 5th generation Intel\u00ae CoreTM processors\n - 6th generation Intel\u00ae CoreTM processors\n - 7th generation Intel\u00ae CoreTM processors\n - 8th generation Intel\u00ae CoreTM processors\n - Intel\u00ae CoreTM X-series Processor Family for Intel\u00ae X99 platforms\n - Intel\u00ae CoreTM X-series Processor Family for Intel\u00ae X299 platforms\n - Intel\u00ae Xeon\u00ae processor 3400 series\n - Intel\u00ae Xeon\u00ae processor 3600 series\n - Intel\u00ae Xeon\u00ae processor 5500 series\n - Intel\u00ae Xeon\u00ae processor 5600 series\n - Intel\u00ae Xeon\u00ae processor 6500 series\n - Intel\u00ae Xeon\u00ae processor 7500 series\n - Intel\u00ae Xeon\u00ae Processor E3 Family\n - Intel\u00ae Xeon\u00ae Processor E3 v2 Family\n - Intel\u00ae Xeon\u00ae Processor E3 v3 Family\n - Intel\u00ae Xeon\u00ae Processor E3 v4 Family\n - Intel\u00ae Xeon\u00ae Processor E3 v5 Family\n - Intel\u00ae Xeon\u00ae Processor E3 v6 Family\n - Intel\u00ae Xeon\u00ae Processor E5 Family\n - Intel\u00ae Xeon\u00ae Processor E5 v2 Family\n - Intel\u00ae Xeon\u00ae Processor E5 v3 Family\n - Intel\u00ae Xeon\u00ae Processor E5 v4 Family\n - Intel\u00ae Xeon\u00ae Processor E7 Family\n - Intel\u00ae Xeon\u00ae Processor E7 v2 Family\n - Intel\u00ae Xeon\u00ae Processor E7 v3 Family\n - Intel\u00ae Xeon\u00ae Processor E7 v4 Family\n - Intel\u00ae Xeon\u00ae Processor Scalable Family\n - Intel\u00ae Xeon\u00ae Processor D (1500, 2100)\n\n# Recommendations\n\nCheck your Operating System provider for update mitigating these vulnerabilities. For Windows systems, Microsoft published an advisory detailing affected versions [4].\n\n# References\n\n[1] <https://foreshadowattack.eu/>\n\n[2] <https://www.youtube.com/watch?v=ynB1inl4G3c>\n\n[3] <https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html>\n\n[4] <https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv180018>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>16/08/2018 --- v1.0: Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>In January 2018, two separate teams discovered flaws in Intel processor allowing speculative execution attacks and notified Intel of their researches [1]. On 14th of August 2018, the vulnerabilities were disclosed publicly under the name <strong>Foreshadow</strong> [2].</p><p>Based on the provided technical details Intel investigated further and identified two other attack channel with the potential to impact additional microprocessors, operating systems, system management mode, and virtualization software [3].</p><p>Intel published a security advisory providing guidance to mitigate these issues [3].</p><h2 id=\"technical-details\">Technical Details</h2><p>The three vulnerabilities received CVEs:</p><ul><li>CVE-2018-3615 - L1 Terminal Fault: SGX</li><li>CVE-2018-3620 - L1 Terminal Fault: OS/SMM</li><li>CVE-2018-3646 - L1 Terminal Fault: VMM</li></ul><p>These three vulnerabilities may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user authorization.</p><p>L1 Terminal Fault (L1TF) happens because of a CPU optimization on page table walk. By exploiting terminal page fault exception on vulnerable CPUs, an attacker can initiate a read and forward from the L1 cache data, leading to disclosure of the data stored in the physical address referenced by the virtual address if it exist in the L1 data cache.</p><h2 id=\"products-affected\">Products Affected</h2><p>All operating systems or equipments running on the following processor may be affected by the vulnerabilities:</p><ul><li>Intel\u00ae CoreTM i3 processor (45nm and 32nm)</li><li>Intel\u00ae CoreTM i5 processor (45nm and 32nm)</li><li>Intel\u00ae CoreTM i7 processor (45nm and 32nm)</li><li>Intel\u00ae CoreTM M processor family (45nm and 32nm)</li><li>2nd generation Intel\u00ae CoreTM processors</li><li>3rd generation Intel\u00ae CoreTM processors</li><li>4th generation Intel\u00ae CoreTM processors</li><li>5th generation Intel\u00ae CoreTM processors</li><li>6th generation Intel\u00ae CoreTM processors</li><li>7th generation Intel\u00ae CoreTM processors</li><li>8th generation Intel\u00ae CoreTM processors</li><li>Intel\u00ae CoreTM X-series Processor Family for Intel\u00ae X99 platforms</li><li>Intel\u00ae CoreTM X-series Processor Family for Intel\u00ae X299 platforms</li><li>Intel\u00ae Xeon\u00ae processor 3400 series</li><li>Intel\u00ae Xeon\u00ae processor 3600 series</li><li>Intel\u00ae Xeon\u00ae processor 5500 series</li><li>Intel\u00ae Xeon\u00ae processor 5600 series</li><li>Intel\u00ae Xeon\u00ae processor 6500 series</li><li>Intel\u00ae Xeon\u00ae processor 7500 series</li><li>Intel\u00ae Xeon\u00ae Processor E3 Family</li><li>Intel\u00ae Xeon\u00ae Processor E3 v2 Family</li><li>Intel\u00ae Xeon\u00ae Processor E3 v3 Family</li><li>Intel\u00ae Xeon\u00ae Processor E3 v4 Family</li><li>Intel\u00ae Xeon\u00ae Processor E3 v5 Family</li><li>Intel\u00ae Xeon\u00ae Processor E3 v6 Family</li><li>Intel\u00ae Xeon\u00ae Processor E5 Family</li><li>Intel\u00ae Xeon\u00ae Processor E5 v2 Family</li><li>Intel\u00ae Xeon\u00ae Processor E5 v3 Family</li><li>Intel\u00ae Xeon\u00ae Processor E5 v4 Family</li><li>Intel\u00ae Xeon\u00ae Processor E7 Family</li><li>Intel\u00ae Xeon\u00ae Processor E7 v2 Family</li><li>Intel\u00ae Xeon\u00ae Processor E7 v3 Family</li><li>Intel\u00ae Xeon\u00ae Processor E7 v4 Family</li><li>Intel\u00ae Xeon\u00ae Processor Scalable Family</li><li>Intel\u00ae Xeon\u00ae Processor D (1500, 2100)</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Check your Operating System provider for update mitigating these vulnerabilities. For Windows systems, Microsoft published an advisory detailing affected versions [4].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://foreshadowattack.eu/\">https://foreshadowattack.eu/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.youtube.com/watch?v=ynB1inl4G3c\">https://www.youtube.com/watch?v=ynB1inl4G3c</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html\">https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv180018\">https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv180018</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}