Security Software

L1D Eviction Sampling / CVE-2020-0549 / INTEL-SA-00329

2020-01-27
2020-01-27
6.5

Medium

Industry-wide severity ratings can be found in the National Vulnerability Database

Critical
Medium
High
Low

Overview

A speculative execution side channel variant known as L1D Eviction Sampling may allow the data value of some modified cache lines in the L1 data cache to be inferred under a specific set of complex conditions. L1D eviction sampling has been assigned CVE-2020-0549 with a CVSS of 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N.

On some processors under certain microarchitectural conditions, data from the most recently evicted modified L1 data cache (L1D) line may be propagated into an unused (invalid) L1D fill buffer. On processors affected by Microarchitectural Data Samping (MDS) or Transactional Asynchronous Abort (TAA), data from an L1D fill buffer may be inferred using one of these data sampling side channel methods. By combining these two behaviors together, it may be possible for a malicious actor to infer data values from modified cache lines that were previously evicted from the L1 data cache. This is called L1D eviction sampling.

Malicious software may be able to use L1D eviction sampling to infer modified cache line data written by previously run software, or modified cache line data written by software running on a sibling hyperthread on the same physical core.

Unlike L1 Terminal Fault (L1TF), L1D eviction sampling doesn’t potentially allow a malicious actor to select the physical address to probe.

Note that unless thread synchronization mitigations are applied, it may be possible for malicious software running on a sibling hyperthread to observe values loaded from or stored to memory on a physical core using the previously disclosed MDS or TAA methods.

As the list of processors affected by L1D eviction sampling are a subset of those affected by L1TF, systems affected by L1D eviction sampling may run software that already applies L1TF mitigations. Fully applying the L1TF mitigations for virtual machine managers (VMMs) ensures that the sensitive memory contents of the VMM or other virtual machines (VMs) will not be in the L1D cache when a possibly malicious VM executes. This helps prevent the malicious VM from attacking a VMM with L1D eviction sampling. 

Mitigation

Intel released microcode updates in June 2020 for affected processors which mitigated the L1D eviction sampling issue. Software can discover if the microcode update for Affected Processors contains the mitigation by reading the patch revision number and ensuring it matches or is greater than the corresponding revision number listed in INTEL-SA-00329.

References


Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Performance varies depending on system configuration. Check with your system manufacturer or retailer or learn more at www.intel.com.

All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps.

Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors.

Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more complete information visit www.intel.com/benchmarks.

Performance results are based on testing as of dates shown in configurations and may not reflect all publicly available​ updates. No product or component can be absolutely secure.

The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request.

Intel provides these materials as-is, with no express or implied warranties.

No product or component can be absolutely secure.

Intel, the Intel logo, Intel Core, Intel Atom, Intel Xeon, Intel Xeon Phi, Intel® C Compiler, Intel Software Guard Extensions, and Intel® Trusted Execution Engine are trademarks of Intel Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.