Don’t Get Caught in the Dark by Foreshadow

Just when we all thought that the fallout from the exposure of Spectre and Meltdown earlier this year was almost over, the release of another, related flaw proves just how fundamentally damaging and widespread these types of vulnerabilities are. This newest flaw may prove to be even more far reaching than Spectre and Meltdown, with the ability to affect virtual machines and bypass Intel’s internal software security feature, something that has previous stopped other flaws from being exploited.

The vulnerability has been dubbed Foreshadow. It is like Spectre and Meltdown in that they expose vulnerabilities in the processor’s design and release confidential, speculative data. This techniques is now known as speculative execution. And while Spectre, Meltdown and Foreshadow all utilize speculative execution in a different way to expose different data, most Spectre and Meltdown attacks were mostly able to be stopped at least by Intel’s Software Guard Extensions feature, known as SGX.

So, back in January, when researchers realized that our systems had major bugs sitting unsolved and began to anticipate where the next would come from, they looked toward the SGX. The SGX is important because it protects memory in a data cache called L1, Foreshadow tricks the operating system into releasing sensitive information to the cache and then steals it before it can be flushed out. It does this by exposing the set of keys used by SGX to perform checks on the legitimacy of the signatures. Once a key is exposed, Foreshadow generates fake signatures to gain access to the sensitive data that SGX is protecting, and SGX lets it happen because it thinks the signature is legitimate.

This is even more concerning for virtual environments. Foreshadow has the ability to interfere with the hypervisors that monitor virtual machines and trick them to giving up confidential information about other virtual machines. There has also been evidence found that Foreshadow could be exploited to remove the isolation between virtual machines, which is especially bad for companies who support shared cloud infrastructure.

The good news? Intel has already begun to patch both software and hardware holes associated with the Foreshadow vulnerability. It has been relatively simple to prevent the Foreshadow flaw from being exploited on physical machines, a software patch already been release that prevents the Operating system from releasing confidential information accidentally. In virtual environments it’s a little bit trickier, but a patch has already been developed to force the hypervisor managing the virtual machines to automatically flush the L1 cache when switching between virtual machines, preventing confidential information from being carried from one machine to the next.

Between Spectre, Meltdown and now Foreshadow, researchers have their plates full and are constantly finding new bugs in the infrastructure of our machines. So far, none of these vulnerabilities have been maliciously exploited on a large scale, but they just go to show that proactive security practices are of the upmost importance. Keeping your computers updated and keeping an eye out on vulnerabilities as they are being discovered is key to preventing one of these flaws from actually being exploited in your environment.

Have more questions on how Foreshadow may affect your business? Reach out to us! Proactive security practices are a core part of the Three Pillars of ICAP!

Infotect Web Admin