L1D Eviction Sampling / CVE-2020-0549 / INTEL-SA-00329

ID 660220
Updated 1/27/2020
Version Latest
Public

author-image

By

Disclosure date: 
2020-01-27

Published date: 
2020-01-27

Shield Icon #74443 - Free Icons LibrarySeverity rating: 
6.5 Medium

Industry-wide severity ratings can be found in the National Vulnerability Database

Related Content

Microcode update guidance
INTEL-SA-00329
Blog: Data Leakage Advisory
List of processors potentially affected by L1D Eviction Sampling
Introduction to Speculative Execution Side Channel Methods

Overview

A speculative execution1 side channel variant known as L1D Eviction Sampling may allow the data value of some modified cache lines in the L1 data cache to be inferred under a specific set of complex conditions. L1D eviction sampling has been assigned CVE-2020-0549 with a CVSS of 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N.

On some processors under certain microarchitectural conditions, data from the most recently evicted modified L1 data cache (L1D) line may be propagated into an unused (invalid) L1D fill buffer. On processors affected by Microarchitectural Data Sampling (MDS) or Transactional Asynchronous Abort (TAA), data from an L1D fill buffer may be inferred using one of these data sampling side channel methods. By combining these two behaviors together, it may be possible for a malicious actor to infer data values from modified cache lines that were previously evicted from the L1 data cache. This is called L1D eviction sampling.

Malicious software may be able to use L1D eviction sampling to infer modified cache line data written by previously run software, or modified cache line data written by software running on a sibling hyperthread on the same physical core.

Unlike L1 Terminal Fault (L1TF), L1D eviction sampling doesn’t potentially allow a malicious actor to select the physical address to probe.

Note that unless thread synchronization mitigations are applied, it may be possible for malicious software running on a sibling hyperthread to observe values loaded from or stored to memory on a physical core using the previously disclosed MDS or TAA methods.

As the list of processors affected by L1D eviction sampling are a subset of those affected by L1TF, systems affected by L1D eviction sampling may run software that already applies L1TF mitigations. Fully applying the L1TF mitigations for virtual machine managers (VMMs) ensures that the sensitive memory contents of the VMM or other virtual machines (VMs) will not be in the L1D cache when a possibly malicious VM executes. This helps prevent the malicious VM from attacking a VMM with L1D eviction sampling. 

Mitigation

Intel released microcode updates in June 2020 for affected processors which mitigated the L1D eviction sampling issue. Software can discover if the microcode update for Affected Processors contains the mitigation by reading the patch revision number and ensuring it matches or is greater than the corresponding revision number listed in INTEL-SA-00329.

References

List of processors potentially affected by L1D Eviction Sampling

Footnotes

  1. Technique used by modern high performance processors to improve performance by executing instructions before knowing they are required. View full description.

 

Software Security Guidance Home | Advisory Guidance | Technical Documentation | Best Practices | Resources

 

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.