Foreshadow Vulnerability Threatens Security of Cloud-Based Applications
Back in January, it was revealed that processors created by Intel were susceptible to critical Spectre and Meltdown vulnerabilities. Now, researchers have discovered a related flaw, dubbed the Foreshadow Vulnerability, that defeats the authentication methods used by computers to guarantee that the software you install is the software that gets executed.
When software is sold, the author doesn’t always know who the end user will be; and whether the software may be tampered with after installation. To prevent this from happening, Intel processors include a remote authentication method, known as SGX. SGX is used by the program’s author to remotely validate the software as genuine. This new vulnerability allows the SGX authentication method to be defeated without triggering an alarm.
So what does all this mean in practical terms?
Virtual machines (VM’s) are used by Cloud-Based vendors to pack many clients onto a single physical computer. Each customer is provided with a separate portion of the physical computer (this is the Virtual Machine). Theoretically, this separates each customer from all others in this shared space. However, the Virtual Machine Operating System software uses SGX authentication to ensure that each VM is safe from tampering. This latest vulnerability would allow a malicious user to tamper with their Virtual Machine software without being detected. It could then be programmed to access other VM’s on the same computer – viewing or stealing other customers’ data.
This vulnerability affects nearly all currently available Intel processors; and patches are currently being prepared. If you are using shared or VPS hosting, ask your hosting provider what is being done to mitigate this issue. Similarly, if you are providing shared hosting to clients, ensure that your servers apply the latest patches to protect your clients from potentially malicious users.
Jack Eisenberg is the owner of Safe and Secure Computing and regularly monitors cyber security developments such as this one.