SGAxe and CrossTalk flaws in Intel CPUs could enable attackers to steal data, researchers say

SGX hardware encryption technology was launched in 2015 with the Skylake microarchitecture

Cyber security researchers have disclosed two new and distinctive attacks that could enable threat actors to steal sensitive information from the trusted execution environments (TEE) of modern Intel CPUs.

The first flaw, called SGAxe, is said to be an evolution of the CVE-2020-0549 flaw that was disclosed earlier this year. Also known as a CacheOut attack or L1D Eviction Sampling, this vulnerability enables authenticated attackers with local access to retrieve the contents from the CPU's L1 Cache.

However, an attack exploiting the CacheOut flaw doesn't work on Intel chips sold after the third quarter of 2018, and it can't be used to launch attacks via a web browser.

But, according to researchers, the new SGAxe bug can breach the security of Intel Software Guard eXtensions (SGX) enclaves that secure the system's inner workings along with sensitive data such as encryption keys and passwords.

Intel launched SGX hardware encryption technology in 2015 with the Skylake microarchitecture. The purpose of SGX technology is to protect areas of memory from unauthorised users, including system administrators. The technology enables applications to run within secured software containers (enclaves), providing hardware-based memory encryption to isolate the applications' data and code in memory.

The data stored in encrypted enclaves can be decrypted only within the CPU and that too at the request of instructions running within the enclave itself.

But, according to researchers, network attackers could use the SGAxe vulnerability to retrieve SGX attestation keys from Intel's quoting enclave and cryptographically impersonate a legitimate SGX Intel machine.

Researchers said they used CacheOut and SGAxe attacks to steal private attestation keys from trusted and new SGX machines. While there is currently no evidence to suggest that the flaw has been exploited in the wild, the researchers alerted Intel after discovering the flaw.

The second vulnerability, called CrossTalk, impacts Intel's desktops, mobile and server CPUs, according to the researchers from VU University in Amsterdam, Netherlands, who are credited with uncovering this flaw.

CrossTalk could enable attacker-controlled code running on one CPU core to target SGX enclaves executing on a different core and determine the private keys of that enclave, the researchers said.

Security experts describe CrossTalk as a type of microarchitectural data sampling (MDS) attack that attempts to target user data while it is in a "transient" state and processed within the CPU's data-caching systems.

To mitigate the CrossTalk vulnerability, the researchers recommend installing Intel's latest microcode, which includes the mitigation against SRBDS for RNG output and SGX keys.

"Intel has implemented its mitigation for the SRBDS vulnerability in a microcode update distributed to software vendors on Tuesday June 9, 2020 or earlier," the researchers said.

"The mitigation locks the entire memory bus before updating the staging buffer and only unlocks it after clearing its content. This strategy ensures no information is exposed to offcore requests issued from other CPU cores."