New 'CacheOut' attack leaks data from CPUs, VMs and hardware enclaves

Researchers at the universities of Adelaide and Michigan have come up with a new Spectre-style speculative execution attack against Intel processors that can be used to intercept data across several hardware security boundaries.

Named CacheOut, the flaw is found in a large number of Intel processors released up until the fourth quarter of 2018.

Several researchers have been working on the vulnerability [pdf], including Yuval Yarom from the University of Adelaide, discovering that it's possible to leak data from eviction of processor caches.

While there's no known CacheOut exploits currently, exploitation of the vulnerability is undetectable.

It could be used to intercept information on operating system kernel address space randomisation and secret "stack canaries" values, which in turn can enable full exploitation using other software attacks such as buffer overflows, the researchers said.

Furthermore, CacheOut can leak data from hypervisors and co-resident virtual machines, and dump the contents of Intel Software Guard Extensions (SGX) hardware enclaves.

CacheOut bypasses existing hardware mitigations by Intel against the earlier Spectre and Meltdown flaws.

Microcode updates from Intel are available for vulnerable processors, and can be deployed via operating system and hypervisor updates.

AMD processors do not contain similar features to Intel's Transactional Synchronisation Extensions (TSX) and are not vulnerabile to CacheOut.

The researchers noted that ARM architecture and IBM processors have a feature similar to Intel TSX, but the reaserchers don't currently know if any of those products are affected by CacheOut.