What happened?

Security researchers have discovered a speculative execution attack side-channel targeting Intel processors that can allow unauthorized programs to steal sensitive information inside the L1 data cache. The attack has been called the “Foreshadow attack”.

The vulnerability can be exploited through different components, three versions have been identified:

A first version of the attack is targeting the SGX (Safe Guard Extension) feature from Intel. It normally allows to allocate private memory regions on the L1 data cache and protect user’s data but researchers have successfully extracted data from it.

The second and third versions are targeting operating system’s kernel (OS), the System Management Mode (SMM) and virtual machines (VM). Data disclosure on the L1 data cache has been performed using a local user access or a guest OS privilege via terminal page fault and a side-channel analysis.

Cloud providers and hypervisors are also impacted as a virtual machine can possibly access to the memory of another virtual machine running in the same host, meaning that a malicious customer could steal other customer information.

Here is the list of affected Intel processors: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

Details of the vulnerability

CVE-2018-3615 for attacking SGX

Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.

CVE-2018-3620 for attacking the OS Kernel and SMM mode

Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.

CVE-2018-3646 for attacking virtual machines

Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.

Sources:

Statements on our products

Rohde and Schwarz Application Security products are not affected because they do not execute untrusted data, yet the operating systems will be updated as soon as fixes are released to keep them safe from the Foreshadow vulnerabilities in any case.

However please note that, when running in a virtual machine, information from WAF products (including secrets) may be leaked to other untrusted virtual machines running on a same vulnerable host. Thus we advise to update hypervisors, microcode for processors, and all guest systems running on the same host.

R&S®Web Application Firewall

Kernel updates will be available for the forthcoming versions:

  • R&S®Web Application Firewall 6.5.1 (LTS)

  • i-Suite 5.5.14 (LTS)

  • DAOS 10.5.5 for rWeb

R&S®Cloud Protector

The cloud provider for Cloud Protector is currently validating patches to be deployed on his platform.

EDIT 30/08/2018: Updates have been done by the cloud provider. Platform is no more vulnerable to the Foreshadow vulnerabilities.

R&S®Vulnerability Manager

A kernel update for Ubuntu is available. To perform the update, open the administration interface, go to Configuration and Check for updates.