Not that we needed it, but there's more evidence today that Intel has been playing fast and loose with security in order to stay ahead of the fast-chip competition. Today it was announced that there are three more Meltdown/Spectre-type Intel chip exploits. The vulnerability affects Intel's desktop, workstation, and server CPUs.
The first of these related exploits was discovered by academic researchers from several universities, and Intel discovered the other two related exploits while investigating those researchers' report. This overall issue, referred to as L1 Terminal Fault (or “Foreshadow” by the researchers who originally discovered it) allows for a bypass of memory access security controls ordinarily imposed and managed by the operating system or hypervisor and can be used by a hacker to read physical memory cached in the L1 data cache of the processor.
"The new L1 Terminal Fault side-channel vulnerability is the latest in a long stream of microprocessor-related flaws that the industry has had to react to this year," Chris Robinson, Product Security Assurance at Red Hat, said in a statement. "While the attack is very difficult to execute, customers are advised to apply patches as soon as they are available, review their corporate risk, and react accordingly in enabling the mitigations."
CVE-2018-3615, the first exploit discovered, affects Software Guard Extensions (SGX), which allows developers to protect select code and data from disclosure or modification. In an article published today by Red Hat, this one is fixed through microcode updates and not through software patches.
CVE-2018-3620 is the L1 Terminal Fault operating system vulnerability and requires a software patch at the OS level to fix. The good news here is that patching isn't expected to cause much of a performance hit.
CVE-2018-3646 is the virtualization aspect of the flaw, and this one is a bit more problematic. On systems running multiple VMs, attackers can take advantage of this vulnerability to gain information from all of the virtual machines running on the server. Although this can be patched on the VM level, in situations where untrusted virtual machines are running, it might be prudent to turn off Intel's hyperthreading, an action that could significantly reduce server performance.
The latest exploits might prove to be particularly troublesome for those using containers since each container runs on its own implementation of Linux, which likely means each and every container will need to be patched. According to Red Hat, "every Linux and Kubernetes distribution is impacted. All organizations deploying containers should consult their Linux/Kubernetes/containers provider."
Red Hat has published both an in-depth article and a shorter blog on the vulnerabilities as well as two videos, a short three-minute video explanation and a deeper ten-minute delve into the exploits.