New Intel Processor Vulnerabilities Expose Sensitive Data from Trusted Execution Environments
Cybersecurity experts have identified two significant vulnerabilities that modern Intel processors face, allowing potential attackers to extract confidential information from the CPU’s trusted execution environments (TEE). These vulnerabilities, named SGAxe and CrossTalk, pose critical threats to system integrity and data security, particularly for applications relying on Intel’s Software Guard Extensions (SGX).
SGAxe represents an evolution of the previously disclosed CacheOut attack (CVE-2020-0549), which was revealed earlier this year. This new flaw enables attackers to gain access to the contents of the CPU’s L1 Cache, specifically targeting the architectural SGX enclaves. Researchers from the University of Michigan have explained that utilizing this advanced attack, they can recover the secret attestation key essential for cryptographically verifying the authenticity of enclaves over networks. This capability allows malicious actors to present counterfeit enclaves as legitimate, thereby undermining established security protocols.
The second vulnerability, CrossTalk, introduced by researchers at VU University Amsterdam, exploits a “staging” buffer that is readable across multiple CPU cores. This can allow code executed on one core to breach SGX enclaves located on another core, potentially revealing private cryptographic keys. The staging buffer holds results from previously executed off-core instructions, including sensitive data like random numbers generated for cryptographic purposes. Consequently, unauthorized access to this buffer can jeopardize the integrity of cryptographic operations, compromising trust in the sensitive data processed by the SGX.
The implications of these vulnerabilities are particularly severe in contexts where confidential data protection is paramount, such as digital rights management (DRM) applications. With the integrity of SGX-derived attestation keys compromised, any sensitive information transmitted by servers could be easily accessed by untrusted host applications on the client side. This realization emphasizes a critical erosion of security guarantees, rendering traditional SGX protections ineffective.
Despite steps taken by Intel to mitigate side-channel attack vulnerabilities through microcode updates, the defenses against SGAxe have been insufficient. The exploit can still result in unauthorized recovery of cryptographic keys from updated Intel systems. While Intel has communicated that mitigation efforts are ongoing, addressing the root cause of CacheOut remains a complex challenge. As part of these efforts, Intel plans to implement a Trusted Compute Base (TCB) recovery process, prompting invalidation of all previously signed attestation keys to restore secure state capabilities for remote attestation.
In response to the CrossTalk vulnerability, identified as CVE-2020-0543, it is classified under the Microarchitectural Data Sampling (MDS) attack category within the MITRE ATT&CK framework. The ongoing vulnerabilities across all Intel CPUs from 2015 to 2019 underscore the urgency for users to update their firmware to counteract these risks. Despite the dissemination of a microcode update following a prolonged disclosure period aimed at addressing CrossTalk, experts assert existing defenses against transient execution attacks remain largely ineffective.
Both SGAxe and CrossTalk illustrate the pressing need for intensified cybersecurity measures. The potential for attackers to exploit vulnerabilities within trusted execution environments calls for proactive vigilance from organizations that rely on these technologies. As businesses navigate the complexities of digital security, understanding the contexts of these attacks through frameworks like MITRE ATT&CK can provide essential insights into the operational landscape of cybersecurity threats.