Security Software

Snoop-assisted L1 Data Sampling / CVE-2020-0550 / INTEL-SA-00330

2020-03-10
2020-03-10
5.6

Medium

Industry-wide severity ratings can be found in the National Vulnerability Database

Critical
Medium
High
Low

Overview

Under a specific set of complex conditions involving a cache-coherence snoop to a modified cache line, a malicious adversary may be able to infer the data values of some modified cache lines in the L1 data (L1D) cache using snoop-assisted L1 data sampling. This domain-bypass transient execution attack variant known as snoop-assisted L1 data sampling has been assigned CVE-2020-0550 with a CVSS of 5.6 Medium (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N).

Note that this is different from L1D Eviction Sampling (CVE-2020-0449). In that issue, the eviction data may be inferrable even without a snoop. Snoop-assisted L1D sampling requires the snoop to hit a modified cache line in the exact same single core clock cycle window as the faulting/assisting/aborting load.

For additional information, refer to the Deep Dive: Snoop-assisted L1 Data Sampling.

Mitigation

As the processors affected by snoop-assisted L1D sampling are a subset of those affected by L1 Terminal Fault (L1TF), software may have already applied L1TF mitigations on systems affected by snoop-assisted L1D sampling.

OS Developers

Snoop-assisted L1D sampling could be mitigated by flushing the L1D cache before executing potentially malicious applications, which would require changes to the OS scheduler when hyperthreading is enabled and could impact the performance of system transitions. Because of the difficulty of this method and the performance impact caused by this mitigation, Intel does not recommend applying such mitigations to the OS. More details on the hyperthreading interaction can be found in the MDS deep dive.

Virtual Machine Manager VMM) Developers

When the VMM is fully applying L1TF mitigations, the sensitive memory contents of the VMM or other virtual machines (VMs) will not be in the L1D cache when a possibly malicious VM executes. This will help prevent a malicious VM from attacking a VMM or other VMs with snoop-assisted L1D sampling.

System Management Mode (SMM) Developers

Processors that are mitigated for L1TF for SMM will flush the L1D cache on each exit from SMM mode and thus already mitigate snoop-assisted L1D sampling.



Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Performance varies depending on system configuration. Check with your system manufacturer or retailer or learn more at www.intel.com.

All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps.

Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors.

Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more complete information visit www.intel.com/benchmarks.

Performance results are based on testing as of dates shown in configurations and may not reflect all publicly available​ updates.

The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request.

Intel provides these materials as-is, with no express or implied warranties.

No product or component can be absolutely secure.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.

Copyright Intel Corporation 2020.