search menu icon-carat-right cmu-wordmark

CERT Coordination Center

L3 CPU shared cache architecture is susceptible to a Flush+Reload side-channel attack

Vulnerability Note VU#976534

Original Release Date: 2013-10-01 | Last Revised: 2013-11-01

Overview

L3 CPU shared cache architecture is susceptible to a Flush+Reload side-channel attack, resulting in information leakage. allowing a local attacker to derive the contents of memory not belonging to the attacker.

Description

Common L3 CPU shared cache architecture is susceptible to a Flush+Reload side-channel attack, as described in "Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack" by Yarom and Falkner.

By manipulating memory stored in the L3 cache by a target process and observing timing differences between requests for cached and non-cached memory, an attacker can derive specific information about the target process. The paper demonstrates an attack against GnuPG on an Intel Ivy Bridge platform that recovers over 98% of the bits of an RSA private key.

This vulnerability is an example of CWE-200: Information Exposure.

Impact

A local attacker can derive the contents of memory shared with another process on the same L3 cache (same physical CPU). Virtualization and cryptographic software are examples that are likely to be vulnerable.

An attacker on the same host operating system only needs read access to the executable file or a shared library component of the target process.

An attacker on a different virtual machine similarly needs access to an exact copy of the executable or shared library used by the target process, and the hypervisor needs to have memory page de-duplication enabled.

Solution

Apply an Update
See the Vendor Information section below for additional information.

GnuPG has released GnuPG version 1.4.14 and Libgcrypt 1.5.3 to to address this vulnerability. CVE-2013-4242 has been assigned to the specific GnuPG vulnerability described in the Yarom/Falkner paper. The CVSS score below applies specifically to CVE-2013-4242.

Disable Memory Page De-duplication

To prevent this attack on virtualization platforms, disable hypervisor memory page de-duplication.

Vendor Information

Any shared cache architecture may be susceptible to side-channel or timing attacks. CPU vendors are listed as "Not Affected" since the cache architecture is functioning as designed. It is generally up to an operating system or application to take appropriate measures to protect sensitive information.

976534
 
Affected   Unknown   Unaffected

Linux KVM

Notified:  August 15, 2013 Updated:  August 16, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc.

Notified:  September 13, 2013 Updated:  September 13, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

VMware

Notified:  August 16, 2013 Updated:  September 03, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Xen

Notified:  August 16, 2013 Updated:  September 03, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

libgcrypt

Notified:  August 16, 2013 Updated:  August 16, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AMD

Notified:  August 16, 2013 Updated:  October 29, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

AMD generally uses an exclusive cache architecture and is therefore not vulnerable to this specific attack.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cryptlib

Notified:  August 16, 2013 Updated:  September 03, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GnuTLS

Notified:  August 16, 2013 Updated:  September 03, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel Corporation

Notified:  August 16, 2013 Updated:  September 03, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenSSL

Notified:  August 16, 2013 Updated:  September 03, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Amazon

Notified:  August 16, 2013 Updated:  September 03, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Attachmate

Notified:  August 16, 2013 Updated:  September 03, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Certicom

Notified:  August 16, 2013 Updated:  August 16, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    Crypto++ Library

    Notified:  August 16, 2013 Updated:  August 16, 2013

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      EMC Corporation

      Notified:  August 16, 2013 Updated:  August 16, 2013

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        IAIK Java Group

        Notified:  August 16, 2013 Updated:  August 16, 2013

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Microsoft Corporation

          Notified:  August 16, 2013 Updated:  August 16, 2013

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Oracle Corporation

            Notified:  August 16, 2013 Updated:  August 16, 2013

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Parallels Holdings Ltd

              Notified:  August 16, 2013 Updated:  August 16, 2013

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                QEMU

                Notified:  August 16, 2013 Updated:  August 16, 2013

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  SafeNet

                  Notified:  August 16, 2013 Updated:  August 16, 2013

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Spyrus

                    Notified:  August 16, 2013 Updated:  August 16, 2013

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      lsh

                      Notified:  August 16, 2013 Updated:  August 16, 2013

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        View all 23 vendors View less vendors


                        CVSS Metrics

                        Group Score Vector
                        Base 2.4 AV:L/AC:H/Au:S/C:P/I:P/A:N
                        Temporal 1.9 E:POC/RL:OF/RC:C
                        Environmental 2.3 CDP:ND/TD:M/CR:H/IR:H/AR:ND

                        References

                        Acknowledgements

                        Thanks to Yuval Yarom and Katrina Falkner for reporting this vulnerability and for help writing this document.

                        This document was written by Adam Rauf.

                        Other Information

                        CVE IDs: CVE-2013-4242
                        Date Public: 2013-09-05
                        Date First Published: 2013-10-01
                        Date Last Updated: 2013-11-01 21:12 UTC
                        Document Revision: 39

                        Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.