Intel's Foreshadow CPU Vulnerability: Here’s What Eight Vendors Are Telling Their Partners To Do

Intel Focuses On Coordinated Disclosure

Intel recently revealed another major vulnerability within its Core and Xeon processors and is now closely working with other vendors for coordinated disclosure.

Also known as L1 Terminal Fault, Foreshadow shares some similarities to Meltdown and Spectre, the speculative execution exploits that kicked off a new level of concern over CPU security when they were disclosed in January.

The Foreshadow vulnerability, which comes in three variants, involves a security hole in the CPU's L1 data cache, a small pool of memory within each processor core that helps determine what instruction the core will execute next. The first variant involves a security hole in Intel's Software Guard Extensions, the second an exploit in the operating system kernel and system management mode and the third a vulnerability in virtual machines.

Many large software and hardware vendors, including Amazon, Cisco, Dell, Hewlett Packard Enterprise, Lenovo, Microsoft, Oracle and and VMware, sent out their own advisories about what steps customers and partners should take to protect against Foreshadow. Here's how eight large vendors are responding to the vulnerability.

Amazon

Amazon Web Services said its infrastructure has been designed and implemented to protect against kinds of attacks like Foreshadow, but it has also pushed out additional protections, which covers all EC2 infrastructure and requires no action from customers. The company said it has also issued kernel updates for Amazon Linux AMI 2017.09, Amazon Linux LMI 2018.03 and Amazon Linux 2 while patches for new AMI are being prepared. AWS recommended that customers and partners use "stronger security and isolation properties of EC2 instances rather than relying on operating system process boundaries or containers when workloads execute with different security privileges."

Cisco

Cisco said the first variant of Foreshadow does not impact its devices because they do not use Intel Software Guard Extensions software while noting that Cisco Unified Computing System servers do support the technology. For the second and third variants of Foreshadow, which impact the operating system, system management and virtualized workloads, Cisco said most of its products are only potentially vulnerable "if they allow customers to execute custom code side-by-side with Cisco code on the same microprocessor." But the company said even if not directly vulnerable in a virtual machine or container, Cisco products "could be targeted by such attacks if the hosting environment is vulnerable." As a result, the company recommended patching operating systems and hypervisors, as well as hardening virtual environments, tightening control user access and keeping up-to-date with security updates. Cisco said it will address the new vulnerabilities with new software updates and that no workaround is available.

Dell

Dell said it continues to investigate the impact of Foreshadow on its products and recommends downloading the most recent microcode updates, as well as updates for operating systems and hypervisors, PCs, thin clients, servers and storage and networking products.

Hewlett Packard Enterprise

Hewlett Packard Enterprise said it is addressing Foreshadow in its Intel-based products by issuing ROM microcode updates. Combined with operating system and hypervisor software updates released by industry partners, the company said the mitigations will provide the necessary protections for traditional IT and cloud service environments. However, HPE said additional safeguards are required for environments where guest virtual machines are running concurrently on sibling threads of a processor core. Those safeguards include turning off hyper-threading or enabling hypervisor core scheduling techniques. The company said the first variant of Foreshadow only impacts its ProLiant m710x Server Cartridge because it supports Intel's Software Guard Extensions.

Lenovo

Lenovo said the previously released LEN-22133 BIOS update addresses the Foreshadow vulnerability but recommended additional action for each variant. For the first two variants, which impact Intel's Software Guard Extensions, the operating system and system management mode, the company recommended updating the operating system. For the third variant, which impacts virtual machines, the company recommended updating the host operating system, guest operating systems and the virtual machine manager. The company also recommended virtual machine customers enable virtual machine manager scheduler enhancements and keep hyper-threading enabled for Windows Server 2016 or VMware ESXi/vSphere/bare-metal hypervisor systems. For environments where not all guest virtual machines are updated, the company suggested disabling hyper-threading, which Lenovo said is most likely to happen in multi-tenant IaaS public and private cloud servers.

Microsoft Azure

Microsoft said protections have been deployed across all Azure cloud services, and that potential attackers cannot attack Azure applications if they're using the same infrastructure. When possible, the company said Azure uses memory preserving maintenance to as an additional safeguard. The company recommended enabling auto update or staying up-to-date with the latest guest operating system for Azure Cloud Services. For Azure Linux Virtual Machines and Azure Windows Virtual Machines, the company suggested installing the latest updates. For these two types of workloads, the company said customers and partners can also contact Azure support to release firmware updates into their virtual machines. The company also suggested additional safeguards specific to both Windows and Linux workloads.

Microsoft Windows

Microsoft said Foreshadow impacts multiple versions of Windows 7, 8.1 and 10, as well as Windows Server 2008, 2012 and 2016. The company said most client users will only require software updates for protection because previously released microcode addresses the vulnerability. For virtual machines, the company recommended downloading previously released microcode that addresses Spectre variants 3a and 4. If those virtual machines use Virtualization-Based Security or Hyper-V, Microsoft suggested additional safeguards: installing Windows Security updates, installing firmware updates and disabling hyper-threading.

For Windows Server customers, the company recommended enabling the previously released update that addresses the Meltdown vulnerability. For Windows Server systems running virtualized workloads, the company said to download previously released microcode that addresses Spectre variants 3a and 4 and to disable hyper-threading in situations where Hyper-V or virtualization-based security is being used. Other mitigations include enabling the Hyper-V core scheduler and setting the virtual machine hardware thread count per core to 2 depending on the configuration.

Oracle

Oracle noted that servers that can't run untrusted code aren't directly vulnerable through the Foreshadow threat vector. However, the company reiterated recommendations by Intel to download the latest microcode and software patches, as well as turning off hyper-threading in some scenarios. The company said it will provide specific guidance for Oracle Engineered Systems. Oracle SPARC servers are not impacted while Oracle Intel x86 servers are not impacted by the first variant of Foreshadow because they don't use Intel Software Guard Extensions. Meanwhile, the company released security patches for Oracle Linux 7, Oracle Linux 6 and Oracle VM Server running on x86 products. Oracle Solaris is not impacted by the first two Foreshadow variants impacting SGX or operating systems, but it will receive a patch later to mitigate the third variant while using Kernel Zones. The company said its Cloud Security and DevOps teams are working with industry partners to implement productions for several Oracle Cloud products, including Oracle NetSuite, Oracle Data Cloud and Oracle Managed Cloud Services. Oracle Autonomous Data Warehouse and Oracle Autonomous Transaction Processing, however, are not impacted.

VMware

VMware said the its products and services are not impacted on the first variant of Foreshadow, which involves a security hole with Intel Security Guard Extensions. They are impacted, however, by the second and third variants of Foreshadow, which involve vulnerabilities in operating systems and virtual machines, respectively. As such, the company issued a hypervisor-specific mitigation for the third variant while saying that patches are pending for the second. Products impacted by the second variant include vCloud Usage Meter, Identity Manager and vCenter Server.