Overview
Systems based on Intel processors that perform speculative execution and address translation are susceptible to information disclosure from its L1 cache. An attacker with local access and guest OS privilege can exploit terminal page fault and side-channel analysis to carry out such disclosure.
Details
Modern processors use speculative execution to improve performance. This technique uses execution history to predict future executions. When a process makes a memory call, the logical memory address is translated to the physical address. If the logical memory is not mapped to a physical location, it results in a terminal fault. Before the correct address is resolved, the processor speculatively tries to load data. This leads to the processor accessing L1 data cache thereby exposing the cache to side-channel attacks. An attacker with guest OS privileges has control over address mapping and may trigger a terminal fault. This lets the attacker read any cached physical memory on the system. This memory is often shared with other guests making their information maliciously disclosed. Also, the attacker has control over the physical addresses during the transient code execution. In a virtual machine environment, this can be be used to point to the physical memories of other guest users. This exposes the contents from the memory of other unsuspecting users on the same host.
Affected Environments
VMs based on the following Intel processors Intel® Core™ i3 processor (45nm and 32nm) Intel® Core™ i5 processor (45nm and 32nm) Intel® Core™ i7 processor (45nm and 32nm) Intel® Core™ M processor family (45nm and 32nm) 2nd generation Intel® Core™ processors 3rd generation Intel® Core™ processors 4th generation Intel® Core™ processors 5th generation Intel® Core™ processors Intel® Core™ X-series Processor Family for Intel® X99 platforms Intel® Core™ X-series Processor Family for Intel® X299 platforms Intel® Xeon® processor 3400 series Intel® Xeon® processor 3600 series Intel® Xeon® processor 5500 series Intel® Xeon® processor 5600 series Intel® Xeon® processor 6500 series Intel® Xeon® processor 7500 series Intel® Xeon® Processor E3 Family Intel® Xeon® Processor E3 v2 Family Intel® Xeon® Processor E3 v3 Family Intel® Xeon® Processor E3 v4 Family Intel® Xeon® Processor E5 Family Intel® Xeon® Processor E5 v2 Family Intel® Xeon® Processor E5 v3 Family Intel® Xeon® Processor E5 v4 Family Intel® Xeon® Processor E7 Family Intel® Xeon® Processor E7 v2 Family Intel® Xeon® Processor E7 v3 Family Intel® Xeon® Processor E7 v4 Family Intel® Xeon® Processor Scalable Family Intel® Xeon® Processor D (1500, 2100)
Prevention
Update microcode, BIOS, OS, and virtualization software Disable hyper-threading Allow trusted guests only