ALERT: Foreshadow and Foreshadow NG

By August 17, 2018Security News

On 15 August 2018, information was released regarding three new Intel CPU vulnerabilities that may be exploited to steal data from computers.

  • CVE-2018-3615 (SGX, SMM – Foreshadow)
  • CVE-2018-3646 (VMM – Foreshadow NG)
  • CVE-2018-3620 (OS – Foreshadow NG)

Much like the Meltdown and Spectre vulnerabilities revealed earlier in the year, these new vulnerabilities take advantage of performance optimisation techniques to bypass security mechanisms built into the chips. The Foreshadow vulnerabilities target a different optimisation technique, potentially allowing access to a broader scope of data than Meltdown and Spectre, including data from other virtual machines in a virtualised environment.

Successful exploitation of these vulnerabilities would require an attacker to run malicious code on a targeted system. There are currently no known exploits being used against these vulnerabilities and researches have not yet released proof of concept code for the vulnerabilities.

We recommend that all clients assess their risk and appropriately patch systems to protect their environments against these vulnerabilities.  Care should be taken to read all patching instructions and release notes as well as perform thorough testing to avoid unexpected outages or performance impacts. Vendors have indicated that some performance impact should be expected for certain workloads.

Mitigation steps may involve processor microcode updates in addition to OS and virtualisation vendor updates, and in some cases may involve configuration options, including enabling new technologies and disabling HyperThreading.  Please refer to vendor guidance around opt-in steps, which will include guidance around scenarios where it is recommended and not recommended to disable HyperThreading, for example.

Processor microcode previously released by Intel in Q2 includes updates that address these new vulnerabilities.   We recommend that clients test and apply the latest microcode updates to all affected systems.

CCL’s Polaris Platform
CCL is programmatically addressing the identified vulnerabilities at the hypervisor levels.  Clients are responsible for patching their Operating Systems residing on the platform unless these are managed by CCL.  Additional information will be provided through standard change control notifications or directly from your Client Relationship Manager.

Public Cloud Platforms
All major public cloud providers have actively patched their environments and have taken steps to protect workloads:

https://cloud.google.com/blog/products/gcp/protecting-against-the-new-l1tf-speculative-vulnerabilities

https://aws.amazon.com/security/security-bulletins/AWS-2018-019/

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/mitigate-se

Client Dedicated Virtual Platforms, On-premise Private Cloud and On-premise Infrastructure
For dedicated virtualisation platforms, patching may be required at the hardware microcode and operating system level in addition to the hypervisor and may also require additional configuration changes depending on what features and products are being used.  Please refer to applicable vendor guidance for detailed mitigation requirements.  Links for the major vendors are included below.

In some cases, mitigation steps may have performance impacts.  We recommend thorough testing as part of the standard patching process.

 If you have any questions or concerns, please do not hesitate to contact your Client Relationship Manager or the CCL Service Desk on 0800 225 737 or support@concepts.co.nz.

Additional Information:

https://foreshadowattack.eu/

https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

https://kb.vmware.com/s/article/55636

https://kb.vmware.com/s/article/55806

https://www.vmware.com/security/advisories/VMSA-2018-0020.html

https://www.vmware.com/security/advisories/VMSA-2018-0021.html

https://blogs.technet.microsoft.com/srd/2018/08/10/analysis-and-mitigation-of-l1-terminal-fault-l1tf/

https://support.microsoft.com/en-us/help/4457951/windows-server-guidance-to-protect-against-l1-terminal-fault

https://blogs.technet.microsoft.com/virtualization/2018/08/14/hyper-v-hyperclear/

https://blogs.oracle.com/oraclesecurity/intel-l1tf

Sam Bennett

About Sam Bennett