New CacheOut Attack Targets Intel CPUs, Leaks Data From VMs And Secure Enclave

Intel Die
Researchers have dubbed a newly discovered vulnerability affecting Intel CPUs as CacheOut (how bout dah?), noting it can "violate nearly every hardware-based security domain, leaking data from the OS kernel, co-resident virtual machines, and even SGX enclaves." As you might have guessed, this is yet another speculative execution flaw somewhat similar to Spectre and Meltdown.

What all these side channel exploits have in common is they potentially allow an attacker to essentially trick hardware into exposing privileged data by leveraging flaws in Intel's architecture. Spectre and Meltdown sort of opened the floodgates for other similar vulnerabilities to follow, and unfortunately, mitigations for those are not effective against CacheOut.

Fortunately, however, Intel has worked with its system software partners to push out separate patches and firmware updates for CacheOut.

"We and our system software partners have released mitigations that have cumulatively and substantially reduced the overall attack surface for these types of issues. We continue to conduct research in this area—internally, and in conjunction with the external research community," Intel said.


CacheOut is the newest attack method in a family Intel refers to as microarchitectural data sampling (MDS). They have been likened to "drinking from a fire hose," in that attackers do not have much control over the data they are observing and where it originates from. CacheOut gives attackers a little more leeway, though.

"CacheOut improves over previous MDS attacks by allowing the attacker to choose which data to leak from the CPU’s L1 cache, as well as which part of a cache line to leak. We demonstrate that CacheOut can leak information across multiple security boundaries, including those between hyperthreads, processes, and virtual machines, and between user space and the operating system kernel, and from SGX enclaves," researchers wrote in a paper (PDF).

Also known as L1DES (L1 data eviction sampling), Intel issued a security advisory for CacheOut, giving it a "medium" severity rating of 6.5 out of 10. In the past, Intel has given similarly low ratings to a few other side-channel execution attacks, such as Zombieload and Fallout.

CacheOut affects most Intel CPUs released prior to the fourth quarter of 2018, including 8th generation and 7th generation Core processors (Coffee Lake and Kaby Lake, respectively). You can view a full list of affected CPUs in this document. It does not appear that AMD processors are affected by this.