Official info website
Another day, another speculative execution vulnerability found inside Intel processors. This time we are getting a new vulnerability called "CacheOut", named after the exploitation's ability to leak data stored inside CPU's cache memory. Dubbed CVE-2020-0549: "L1D Eviction Sampling (L1Des) Leakage" in the CVE identifier system, it is rated with a CVSS score of 6.5. Despite Intel patching a lot of similar exploits present on their CPUs, the CacheOut attack still managed to happen.
From the CacheOut website:
Am I affected by this vulnerability?
Probably yes, unless you happen to have a CPU released after Q4 2018.
For a select number of processors released after Q4 2018, Intel inadvertently managed to partially mitigate this issue while addressing a previous issue called TSX Asynchronous Abort (TAA). See Section 9 in our our paper.
A list of affected products can be found here
- AMD is not affected by CacheOut, as AMD does not offer any feature akin to Intel TSX on their current offering of CPUs.
- CacheOut is related to, and inspired by, previous work in speculative execution, including Spectre and Meltdown. Moreover, CacheOut bypasses the hardware mitigations released by Intel in response to Meltdown, thereby necessitating additional software fixes.
- Microarchitectural Data Sampling (MDS) shows that an attacker can sample in-flight data from various microarchitectural buffers. As a response to this, Intel recommends that operating system vendors overwrite the contents of these buffers. However, CacheOut demonstrates that this mitigation is incomplete, as we can force the victim's data out of the L1-D Cache into the microarchitectural buffers after the operating system clears them. We then subsequently leak the contents of the buffers and obtain the victim's data.
- We would like to thank Intel for working with us during the responsible disclosure.
- This research was supported by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory (AFRL) under contract FA8750-19-C0531, by an Australian Research Council Discovery Early Career Researcher Award (project number DE200101577), and by generous gifts from Intel and AMD.