Scientists from the Amsterdam Free University and the Swiss Higher Technical School of Zurich have discovered a new vulnerability affecting Intel processors. The bug got the name Crosstalk, and it allows malicious code running in one processor core to “merge” data from other software running on another core (including Intel SGX enclaves).
Researchers explain that CrossTalk is another variation of the MDS bug. Let me remind you that the problems of Microarchitectural Data Sampling (MDS) were discovered in Intel processors in the spring of 2019.
Then the experts identified four new vulnerabilities at once and divided them into three groups: RIDL, Fallout and ZombieLoad (CVE-2018-12130, CVE-2018-12126, CVE-2018-12127 and CVE-2018-11091). As well as the sensational vulnerabilities of Specter and Meltdown, the new bugs turned out to be associated with a proactive (or speculative) speculative mechanism for executing commands. They allowed an attacker to read data from places that he should not have access to (the kernel of the OS, processes, Software Guard eXtensions enclaves), and then steal passwords, cryptographic keys and other data.
CrossTalk attacks data while it is being processed by Line Fill Buffer (LBF), one of the CPU's cache systems. According to experts, the problem is that the LBF cache, in fact, works with the previously undocumented “intermediate buffer” (staging buffer), which is used by all processor cores.
“Using CrossTalk, we found that various instructions execute offcore requests to read data from an intermediate buffer shared by all CPU cores. We noticed that this intermediate buffer contains confidential information, including the output of the Digital Random Number Generator (DRNG) hardware random number generator, and that such data can be transmitted between the cores using RIDL attacks (aka MDS), ”the experts write.
The video below demonstrates how CrossTalk is used to attack the said intermediate buffer through the LBF cache, and then this leads to data leakage from other cores (the video looks at Intel SGX key leak).
It is worth noting that the researchers not only created their own website for the CrossTalk problem, but also prepared detailed technical report about vulnerability and published PoC exploit on github.
The research team writes that it worked with Intel to fix the CrossTalk problem for more than 20 months (since September 2018). Experts explain that because of the complexity of the problem, fixing the vulnerability took much more than the standard 90 days, in addition, initially the possibility of an “internuclear” leak was not considered at all.
Intel engineers, in turn, published own report, where they report that they have already made significant changes to their CPUs, and for most fresh products, CrossTalk is not a threat.
For older processors, updated CrossTalk firmware was released for them this week: Special Register Buffer Data Sampling update (SRBDS, CVE-2020-0543, Intel-SA-00320).
A complete list of more than fifty vulnerable processors (mobile, desktop and server) can be found here. In particular, the attack is dangerous for Core processors from 3 to 10 generations, Core X-Series, Pentium, Celeron and Xeon E3.
At the same time, Intel representatives emphasizethat today it is hardly possible to talk about some real attacks using CrossTalk outside a controlled test environment.