/>
X

All the major Intel vulnerabilities

A list of all the major vulnerabilities that impact Intel processors.

|
catalin-cimpanu.jpg
|
Topic: Security
Meltdown
1 of 19 Catalin Cimpanu/ZDNet

Meltdown

According to researchers, Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

Meltdown, together with the Spectre vulnerability, was disclosed in January 2018 and showed the world that today's CPU hardware was inherently flawed as CPU makers chased performance with little regard to data security.

Spectre
2 of 19 Catalin Cimpanu/ZDNet

Spectre

According to researchers, Spectre breaks the isolation between different applications and allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. Per researchers, the very same safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

While the Meltdown attack impacted only Intel CPUs, Spectre was an industry-wide problem, also impacting AMD and ARM processors as well.

Just like Meltdown, Spectre is the result of performance-driven design. The vulnerability leaks data from a CPU's "speculative execution," a series of operations that CPUs calculate in advance to guess a possible outcome and cut down future computing time.

Zombieload
3 of 19 Catalin Cimpanu/ZDNet

ZombieLoad

The ZombieLoad attack allows stealing sensitive data while the computer accesses them. While programs normally only see their own data, a malicious program can exploit internal CPU buffers to get hold of secrets currently processed by other running programs.

Zombieload is part of a class of vulnerabilities that named Microarchitectural Data Sampling attacks, or MDS attacks, that target a CPU's microarchitectural data structures, such as the load, store, and line fill buffer caches. More specifically, ZombieLoad exploits the line buffer cache to extract data from a CPU's internal cache. Other MDS attacks are RIDL and Fallout.

RIDL
4 of 19 Catalin Cimpanu/ZDNet

RIDL

RIDL is part of a class of vulnerabilities impacting modern processors that are named Microarchitectural Data Sampling attacks, or MDS attacks. These attacks target a CPU's microarchitectural data structures, such as the load, store, and line fill buffer caches.

More specifically, RIDL exploits a hardware design flaw in the line buffer cache to extract secret data from a CPU's sensitive areas. It is similar to ZombieLoad, however, different, and was discovered by a different set of academics.

According to the research team, "attackers who can run unprivileged code on machines with recent Intel CPUs - whether using shared cloud computing resources, or using JavaScript on a malicious website or advertisement - can steal data from other programs running on the same machine, across any security boundary: other applications, the operating system kernel, other VMs (e.g., in the cloud), or even secure (SGX) enclaves. "

Fallout
5 of 19 Catalin Cimpanu/ZDNet

Fallout

Fallout is in the same class of MDS attacks as ZombieLoad and RIDL, but unlike the first two, Fallout uses bugs in the store buffer cache to leak data from within a vulnerable CPU.

According to researchers:

"Fallout demonstrates that attackers can leak data from Store Buffers, which are used every time a CPU pipeline needs to store any data. Making things worse, an unprivileged attacker can then later pick which data they leak from the CPU's Store Buffer."

In practice, it has been shown that Fallout can break Kernel Address Space Layout Randomization (KASLR), as well as leak sensitive data written to memory by the operating system kernel.

SWAPGS Attack
6 of 19 Catalin Cimpanu/ZDNet

SWAPGS Attack

Discovered by Bitdefender researchers, the SWAPGS attack is also a vulnerability in the speculative execution feature of modern CPUs.

Per researchers, this attack takes advantage of a combination of Intel speculative execution of the SWAPGS instruction set and how the Windows operating systems handles SWAPGS within what is known as a gadget. The combination of SWAPGS and Windows can lead to situations were data can be extracted from an Intel CPU.

LVI
7 of 19 Catalin Cimpanu/ZDNet

LVI

LVI (or Load Value Injection) is a reverse of the Meltdown attack. Instead of leaking data from an Intel CPU, LVI lets an attacker inject and modify data that is already inside the CPU's speculative execution processes.

In practice, the attack has been used to leak data from Intel SGX enclaves.

While Meltdown could be mitigated through software mitigations, LVI requires a redesign of the CPU hardware.

Foreshadow
8 of 19 Catalin Cimpanu/ZDNet

Foreshadow

Foreshadow, or L1TF, is a speculative execution attack on Intel processors which allows an attacker to steal sensitive information stored inside personal computers or third party clouds.

Foreshadow has two versions, the original attack designed to extract data from SGX enclaves and a Next-Generation version which affects Virtual Machines (VMs), hypervisors (VMM), operating system (OS) kernel memory, and System Management Mode (SMM) memory.

Snoop
9 of 19 Catalin Cimpanu/ZDNet

Snoop

The Snoop attack can leak data by abusing the internal mechanism (bus snooping) that Intel CPUs employ to keep their multiple cache levels in sync (an operation known as cache coherence).

The attack can be mitigated by applying the patches for the Foreshadow (L1TF) attack.

PortSmash
10 of 19 Catalin Cimpanu/ZDNet

PortSmash

PortSmash impacts all CPUs that use a Simultaneous Multithreading (SMT) architecture, a technology that allows multiple computing threads to be executed simultaneously on a CPU core.

Attackers can run a PortSmash attack that then leaks data from nearby processes running on the same CPU. Researchers say they've already confirmed that PortSmash impacts Intel CPUs which support the company's Hyper-Threading (HT) technology, Intel's proprietary implementation of SMT.

LazyFP
11 of 19 Catalin Cimpanu/ZDNet

LazyFP

LazyFP is a vulnerability that also resides in the way modern CPUs handle speculative execution processes, and more exactly, in how they handle context switching on the floating point unit (FPU).

BranchScope
12 of 19 Catalin Cimpanu/ZDNet

BranchScope

BranchScope is a side-channel leak that occurs during speculative execution. More precisely, it's a leak that happens when an attacker manipulates the shared directional branch predictor.

The attack has been used in tests to leak data from Intel SGX enclaves. See more in this PDF paper.

Spoiler
13 of 19 Catalin Cimpanu/ZDNet

Spoiler

Spoiler is, too, a vulnerability in the speculative execution feature of Intel CPUs. It is different from all the other speculative execution security bugs because it does not leak data, but is used to improve another attack, namely Rowhammer, which doesn't leak data from the CPU, but from the RAM.

NetCAT
14 of 19 Catalin Cimpanu/ZDNet

NetCAT

NetCAT is a vulnerability that impacts Intel's line of server-grade CPUs. Namely, it is a vulnerability in all Intel chips that support the Data-Direct I/O Technology (Intel DDIO) and Remote Direct Memory Access (RDMA) features.

The NetCAT attack can be carried out remotely, via a network connection, to leak data processed by these features, such as SSH session keys, and others.

SgxPectre
15 of 19 Catalin Cimpanu/ZDNet

SgxPectre

SgxPectre is a variation of the original Spectre attack, adapted specifically for leaking data from CPU secure enclaves by exploiting bugs in the software development kits used to build the enclave's software.

Vulnerable SGX development kits include the Intel SGX SDK, Rust-SGX, and Graphene-SGX.

SpectreRSB
16 of 19 Catalin Cimpanu/ZDNet

SpectreRSB

As the name implies, SpectreRSB is also a variation of the Spectre attack. It exploits hardware design flaws in the return stack buffer (RSB) of modern CPUs, including Intel.

Proof of concept attacks have shown SpectreRSB can be used to leak data from the CPU cache's RSB, but also from Intel SGX enclaves.

TPM-Fail
17 of 19 Catalin Cimpanu/ZDNet

TPM-Fail

TPM-Fail is a vulnerability that impacts Intel firmware-based trsuted platform module (fTPM), which runs on a separate microprocessor inside the main Intel CPU.

The attack takes from minutes to hours to run, and can result in the leak of sensitive encryption keys.

Plundervolt
18 of 19 Catalin Cimpanu/ZDNet

Plundervolt

The Plundervolt attack exploits the interface through which an operating system can control an Intel processor's voltage and frequency, namely the Dynamic Voltage and Frequency Scaling (DVFS) system.

It is based on the CLKSCREW attack that abused frequency adjustments to leak data from ARM chipsets. Plundervolt is different because it uses rogue voltage adjustments to leak data from Intel chipsets.

Plundervolt is also known as VoltJockey and V0LTpwn, names given by two other teams of academics who also (independently) discovered the same attack.

Platypus
19 of 19 Catalin Cimpanu/ZDNet

Platypus

The Platypus attack can steal data from Intel CPUs by using the Intel RAPL interface to monitor power consumption values inside the CPU and infer what kind of data is being processed inside.

The difference between PlunderVolt and Platypus is that PlunderVolt is an active attack that infers data by modifying power values, while Platypus is a passive attack that infers data just by looking at the power consumption data.

Related Galleries

Yubikey Security Key C NFC
Security Key C NFC

Related Galleries

Yubikey Security Key C NFC

First look at the YubiKey Bio
YubiKey Bio

Related Galleries

First look at the YubiKey Bio

iVerify (version 17)
iVerify for iOS and iPadOS

Related Galleries

iVerify (version 17)

OnlyKey hardware security key
OnlyKey

Related Galleries

OnlyKey hardware security key

SoloKeys Solo V2
Solo V2

Related Galleries

SoloKeys Solo V2

iVerify: Added security for iPhone and iPad users
iVerify

Related Galleries

iVerify: Added security for iPhone and iPad users

iStorage datAshur BT hardware encrypted flash drive
iStorage datAshur BT

Related Galleries

iStorage datAshur BT hardware encrypted flash drive