New CrossTalk attack impacts Intel’s mobile, desktop, and server CPUs

Academics from a university in the Netherlands have published details today about a new vulnerability in Intel processors.

The security bug, which they named CrossTalk, enables attacker-controlled code executing on one CPU core to leak sensitive data from other software running on a different core.

The Vrije University’s Systems and Network Security Group (VUSec) says the CrossTalk vulnerability is another type of MDS (microarchitectural data sampling) attack.

MDS attacks target user data while in a “transient” state, as it’s being processed inside the CPU and its many data-caching systems.

More specifically, CrossTalk attacks data while it’s being processed by the CPU’s Line Fill Buffer (LBF), one of these aforementioned CPU cache systems.

According to the VUSec team, the LBF cache actually works with a previously undocumented memory “staging buffer” that is shared by all CPU cores.

In a demo video published today, the VUSec research team showed how they employed a CrossTalk attack to attack this undocumented staging buffer via the LBF cache, and leak data processed by apps on other cores (an Intel SGX key, in the example below).

The research team said they’ve been working with Intel on having the CrossTalk attack patched for the past 21 months, since September 2018.

The VUSec team said that patching this bug took more than the standard 90 days because of the complexity of the issue and because they initially didn’t thoroughly investigate the possibility of a cross-core leak.

In the meantime, Intel has already made significant changes to the hardware design of its CPUs, and most of its recent products are not vulnerable to this attack.

For all the older Intel CPU lines, the chipmaker has released today microcode (CPU firmware) updates to patch the CrossTalk vulnerability — which Intel refers to as “Special Register Buffer Data Sampling” or SRBDS (CVE-2020-0543, Intel-SA-00320).

“As with all side-channel issues reported to date, Intel is not aware of any real-world exploits of SRBDS outside of a lab environment,” Intel said in a blog post analyzing its June security updates.

A list of vulnerable Intel CPUs are listed on this page (check the SRBDS column in the table). The list includes CPU lines for embedded, mobile, desktop, and server products.

The VUSec team has also published proof-of-concept code and a technical paper and website on the CrossTalk attack. Intel has its own technical write-up, here.