Snoop-assisted L1 Data Sampling / CVE-2020-0550 / INTEL-SA-00330

ID 660226
Updated 3/10/2020
Version Latest
Public

author-image

By

Disclosure date: 
2020-03-10

Published date: 
2020-03-10

Shield Icon #74443 - Free Icons LibrarySeverity rating: 
5.6 Medium

Industry-wide severity ratings can be found in the National Vulnerability Database

Related Content

Snoop-assisted L1 Data Sampling
Processors affected: Snoop-assisted L1 data sampling
Refined Speculative Execution Terminology
INTEL-SA-00330

Overview

Under a specific set of complex conditions involving a cache-coherence snoop to a modified cache line, a malicious adversary may be able to infer the data values of some modified cache lines in the L1 data (L1D) cache using snoop-assisted L1 data sampling. This domain-bypass transient execution attack variant known as snoop-assisted L1 data sampling has been assigned CVE-2020-0550 with a CVSS of 5.6 Medium (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N).

Note that this is different from L1D Eviction Sampling (CVE-2020-0449). In that issue, the eviction data may be inferrable even without a snoop. Snoop-assisted L1D sampling requires the snoop to hit a modified cache line in the exact same single core clock cycle window as the faulting/assisting/aborting load.

For additional information, refer to Snoop-assisted L1 Data Sampling.

Mitigation

As the processors affected by snoop-assisted L1D sampling are a subset of those affected by L1 Terminal Fault (L1TF), software may have already applied L1TF mitigations on systems affected by snoop-assisted L1D sampling.

OS Developers

Snoop-assisted L1D sampling could be mitigated by flushing the L1D cache before executing potentially malicious applications, which would require changes to the OS scheduler when Intel® Hyper-Threading Technology is enabled and could impact the performance of system transitions. Because of the difficulty of this method and the performance impact caused by this mitigation, Intel does not recommend applying such mitigations to the OS. More details on the hyper-threading interaction can be found in Microarchitectural Data Sampling.

Virtual Machine Manager VMM) Developers

When the VMM is fully applying L1TF mitigations, the sensitive memory contents of the VMM or other virtual machines (VMs) will not be in the L1D cache when a possibly malicious VM executes. This will help prevent a malicious VM from attacking a VMM or other VMs with snoop-assisted L1D sampling.

System Management Mode (SMM) Developers

Processors that are mitigated for L1TF for SMM will flush the L1D cache on each exit from SMM mode and thus already mitigate snoop-assisted L1D sampling.

 

Software Security Guidance Home | Advisory Guidance | Technical Documentation | Best Practices | Resources

 

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.