Intel's data center CPUs vulnerability could lead to "devastating" attacks

Security researchers found vulnerabilities that can affect multi-tenant environments such as public clouds or shared enterprise workloads.

Intel and AMD announce new CPUs at Computex 2019

Cybersecurity researchers have found a vulnerability within Intel's data center CPUs that gives attackers the ability to inject rogue values in certain microarchitectural structures and steal information. Bogdan Botezatu, director of threat research and reporting at Bitdefender, said these attacks are "particularly devastating in multi-tenant environments such as enterprise workstations or servers in the datacenter, where one less-privileged tenant would be able to leak sensitive information from a more privileged user or from a different virtualized environment on top of the hypervisor." 

According to Botezatu, Intel controls more than 90% of the server CPU market share and most of these CPUs, manufactured between 2011 and 2020, are vulnerable. Botezatu and Bitdefender notified Intel of the issue on Feb. 25 and the company has acknowledged there is a problem. 

SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)

Vulnerabilities like this typically impact multi-tenant environments such as a public cloud or shared enterprise workload where a less privileged user would be able to exfiltrate information across security boundaries through the vulnerable processor. All public cloud vendors that run vulnerable Intel CPUs would be exposed to this type of attack, Botezatu said. 

Using this vulnerability, cybercriminals can steal data using a minimal amount of system privileges to sample information that normally would be secured by perimeters set up at the silicon or microcode level. 

Intel has released software guidance on the issue and a statement about the problem.

"Researchers have identified a new mechanism referred to as Load Value Injection (LVI). Due to the numerous complex requirements that must be satisfied to successfully carry out, Intel does not believe LVI is a practical method in real world environments where the OS and VMM are trusted. New mitigation guidance and tools for LVI are available now and work in conjunction with previously released mitigations to substantively reduce the overall attack surface. We thank the researchers who worked with us, and our industry partners for their contributions on the coordinated disclosure of this issue," Intel said in a statement.

"To mitigate the potential exploits of Load Value Injection (LVI) on platforms and applications utilizing Intel SGX, Intel is releasing updates to the SGX Platform Software and SDK starting today. The Intel SGX SDK includes guidance on how to mitigate LVI for Intel SGX application developers. Intel has likewise worked with our industry partners to make application compiler options available and will conduct an SGX TCB Recovery. Refer to the Intel SGX Attestation Technical Details for more information."

In a blog post, Botezatu wrote that the kind of information that can be stolen includes everything from "operating system noise" data to encryption keys or passwords. Attackers could gain a sizable amount of control within compromised servers and gain access to whatever data is inside. 

Bitdefender said it has been examining side-channel attacks and the potential impact of vulnerabilities since the emergence of Spectre and Meltdown in 2018.

"Our team of dedicated vulnerability researchers discovered two other different similar vulnerabilities last year (the SWAPGS Attack and another MDS-class vulnerability). This research team keeps a close eye on modern CPUs as part of the ongoing research for HVI - Bitdefender's security solution that runs at the hypervisor level," Botezatu said in an interview.

"This type of attack cannot be mitigated, given the fact that it leverages a vulnerability in the processor design. Previous mitigations set in place for Spectre, Meltdown, and the MDS attacks are now ineffective against this new attack called LVI-LFB," he added

Every time a new side-channel attack variation gets communicated and plugged, Botezatu said, new ones show up and defeat existing mitigations. "We believe that the only viable solution would be the architecture of the process to fix these flaws in hardware."

In a blog post, Botezatu wrote that to completely mitigate the vulnerability, IT departments should either disable functionalities like hyper-threading or replace the hardware entirely.

Security teams should also make sure to have the latest CPU microcode patches and the latest OS updated. 

Botezatu added that the most urgent actions security teams need to take involve installing patches and integrating security programs that can give users more hypervisor-level visibility and context. Security teams should also do full audits of their critical systems to check for any signs that systems have been attacked.

"The potential for exploitation is large, but up until now we do not have any evidence that it has actually been exploited in the wild. 

"However, given the nature of the attack, a security solution or any other alerting mechanism would be unable to detect or block this type of attack. This is why such attacks are more suitable for government or commercial, high profile threat actors than for regular cyber criminals," Botezatu said, adding that these kinds of attacks are particularly difficult to deal with. 

"It would be impossible to identify any exploitation in the wild. This attack does not leave any forensic trace on the affected system, nor can it be identified or blocked by existing security solutions."

Also see


In January 2018, computer researchers discovered two major vulnerabilities in CPUs named Spectre and Meltdown.

Forstock, Shutterstock / Forstock