New LVI Intel CPU Data Theft Vulnerability Requires Hardware Fix

[silversurfer]

Content source

https://www.bleepingcomputer.com/news/security/new-lvi-intel-cpu-data-theft-vulnerability-requires-hardware-fix/

A novel class of attack techniques against modern Intel processors can allow threat actors to inject malicious data into applications via transient-execution attacks and steal sensitive data according to researchers.

The vulnerability dubbed LVI (short for Load Value Injection) and tracked as CVE-2020-0551 was discovered and reported to Intel on April 4, 2019, by researchers at the Worcester Polytechnic Institute, imec-DistriNet/KU Leuven, Graz University of Technology, University of Michigan, University of Adelaide and Data61, in no particular order.

Bitdefender researchers also independently discovered one variant of attack in the LVI class (LVI-LFB) and reported it to Intel in February 2020.

LVI attacks let attackers change the normal execution of programs to steal data that is normally meant to be kept private within SGX enclaves. Sensitive information that can be stolen this way includes passwords, private keys of certificates, and more.

Even though the Intel Software Guard eXtensions (SGX) feature in modern Intel processors that enables apps to run within secure and isolated enclaves is not necessary to launch an LVI attack, its presence makes the attack a lot easier.

"While LVI attacks in non-SGX environments are generally much harder to mount, we consider none of the adversarial conditions for LVI to be unique to Intel SGX," the researchers explain.

 

[plat]

A little more info on this. If any mitigations would be applied, your cpu is most likely crippled in performance.

Intel Processors Hit with LVI Security Vulnerabilities, Mitigation Hits Performance Hard

A new class of security vulnerabilities affect Intel processors, which can cause them to leak out sensitive information if probed in a certain way, but that's not the worst news for Intel and its users. The software- or firmware-level mitigation for this vulnerability can inflict performance...

www.techpowerup.com

Excerpt:

""LVI turns previous data extraction attacks around, like Meltdown, Foreshadow, ZombieLoad, RIDL and Fallout, and defeats all existing mitigations. Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle — "inject" — the attacker's data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim's fingerprints or passwords," the reasearchers write in the abstract of their paper describing the vulnerability. Anti-virus manufacturer BitDefender independently discovered LVI and shared its study with Intel.... "