Intel L1 Terminal Fault – Foreshadow

We Live in the Cloud

Intel L1 Terminal Fault – Foreshadow

15th August 2018 vSphere Vulnerabilities 0

2018 hasn’t been too good for Intel in terms of Security.  Sadly a new vulnerability has been found in Intel Core and Xeon Processors.  Impacted processors include:

Intel Core™ i3/i5/i7/M processor (45nm and 32nm)
2nd/3rd/4th/5th/6th/7th/8th generation Intel Core processors
Intel Core X-series Processor Family for Intel X99 and X299 platforms
Intel Xeon processor 3400/3600/5500/5600/6500/7500 series
Intel Xeon Processor E3 v1/v2/v3/v4/v5/v6 Family
Intel® Xeon® Processor E5 v1/v2/v3/v4 Family
Intel® Xeon® Processor E7 v1/v2/v3/v4 Family
Intel® Xeon® Processor Scalable Family
Intel® Xeon® Processor D (1500, 2100)

“Intel was notified of the first bug on Jan. 3, 2018. Intel then identified two closely related variants, Foreshadow-Next Generation (NG). Intel calls this entire new class of speculative execution side channel vulnerabilities “L1 Terminal Fault” (L1TF).” [Source: ZDnet]

Foreshadow could allow attackers to hack an application and gain access to data which is stored in memory, files or encryption keys.  You can read more from the team who found the vulnerability here:  https://foreshadowattack.eu/

The three vulnerabilities that have been found are:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3615

The CVE-2018-3646 is the main one that affects Virtual Machines.

Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.  The result of which means that a VM could potentially read information from the host and gain access to it’s memory pages!

VMware are aware and have links that show which version of VMware Products are affected.  As you would expect, I cannot stress enough, the value of keeping your software on a supported version, and as you will notice, version 5.5 is the oldest version in support.  Had this vulnerability come to light after the 19th of September, we potentially may not have seen any updates or patches for 5.5.

https://www.vmware.com/security/advisories/VMSA-2018-0020.html

https://kb.vmware.com/s/article/55636