Snoop vulnerability could enable attackers to steal data from Intel CPU's cache memory

Yet another Intel CPU security flaw affects both Core series and Xeon processors

Security researchers have discovered a new vulnerability in Intel processors, which could enable attackers to steal data from the CPU's cache memory.

The vulnerability, dubbed "Snoop-assisted L1 Data Sampling" (CVE-2020-0550), impacts Intel series like Core and Xeon, according to the researchers, and is similar to previously reported speculation-attack vulnerabilities.

The flaw exploits CPU mechanisms like cache coherence, multiple cache levels, and bus snooping and could enable an unprivileged local attacker to infer CPU Level 1 cache contents after circumventing security controls.

Intel's most modern processors come with multiple cores, where each core has a separate cache memory. Depending on CPU's specifications, these cache memories are categorised as Level 1 (L1), Level 2 (L2), and Level 3 (L3) cache.

In order to improve performance, a system sometimes keeps multiple copies of the same data in different levels of cache. When the processor modifies its local copy, the changes are also propagated to other level of cache.

L1, which is the most used cache level, is further divided into two parts: L1D and L1I.

While L1D is used for storing user data, L1I is used for handling the CPU's own instruction set.

When a change occurs in L1D, the "bus snooping" mechanism is used by the CPU to update all the cache levels. The consistency of data at each level of cache is then ensured using cache coherence mechanism.

According to the researchers, under certain conditions, an attacker could use a malicious code to tap into the bus snooping operation and trigger errors to leak data from the cache coherence process.

"On certain processors and under certain conditions, data in a modified cache line that is being returned in response to a snoop may also be forwarded to a faulting, microarchitectural assist, or Intel Transactional Synchronisation Extensions (TSX) asynchronous aborting load operation to a different address that occurs simultaneously," Intel explained.

"This may potentially allow a malicious adversary to construct a covert channel to infer modified data in the L1D cache that the victim intends to protect from the malicious adversary. This domain-bypass transient execution attack is called snoop-assisted L1D sampling."

Intel, however, says that the attack is incredibly hard to carry out, and does not leak large quantities of data.

To mitigate the risk of a Snoop attack, Intel is recommending users to apply the Foreshadow (L1TF) patches that were released in August 2018.

Disabling the Intel's Transactional Synchronisation Extensions (TSX) feature also makes Snoop attacks harder to carry out, the chipmaker said.

"The Snoop attack is yet again another flaw from Intel that could allow a skilled attacker to steal sensitive information from the cache, including encryption keys, passwords and other secret data," said Marco Essomba, founder of iCyber-Security.

He continued: "Intel has released a number of guidelines and patches for operating system vendors and equipment manufacturers. Organisations can defend against this type of threats by adopting multi-layers of defence. Essentially, an attacker with unfettered access to a device can execute malware to exploit this flaw."

Essomba recommended that organisations make sure they take all the usual security measures, such as ensuring software is patched and up-to-date, and that PCs and servers are running the latest anti-virus and other standard security software. "A defence-in-depth strategy involving a combination of technological controls, security awareness training and processes will strengthen the organisation's posture to make this vulnerability harder to exploit," he said.