Intel: New L1 Terminal Fault Bugs Hit Virtual Machines Harder
Intel disclosed on Tuesday three more vulnerabilities within its server, client and workstation processors, signaling that security issues for the company's CPUs are far from over.
The Santa Clara, Calif.-based company said the L1 Terminal Fault and two related vulnerabilities are similar to previously disclosed side-channel analysis security issues, including the Meltdown and Spectre variants that kicked off a new level of concern over CPU security when they were disclosed in January.
In a blog post published Tuesday, Intel product security head Leslie Culbertson said the new vulnerabilities can be mitigated through new updates being issued starting today by industry partners and the open source community, as well as microcode updates that Intel released earlier this year.
Culbertson also noted that the company's future CPUs, starting with Intel's next-generation Xeon Scalable processor, code-named Cascade Lake, and new client processors coming out later this year will come with new hardware-level security protections that have been touted for months now.
"We are not aware of reports that any of these methods have been used in real-world exploits, but this further underscores the need for everyone to adhere to security best practices," Culbertson wrote. "This includes keeping systems up-to-date and taking steps to prevent malware."
The new L1 Terminal Fault vulnerability involves a security hole in the CPU's L1 data cache, a small pool of memory within each processor core that helps determine what instruction the core will execute next.
Intel's previously released microcode updates are expected to lower the risk of data exposure for consumer and enterprise users running non-virtualized operating systems, which the company said includes most of data center systems and PC clients. The company said no significant performance impacts have been noted with this particular mitigation.
For virtual machines, however, the risk is higher, Intel said. As a result, IT administrators and cloud providers are urged to make additional safeguards where they cannot ensure that all virtualized operating systems have been updated. Additional steps include turning off hyper-threading in some scenarios and enabling specific hypervisor core scheduling features.
Performance impact on specific workloads may vary with these fixes, which the company said it will address through several solutions with industry partners that will give customers some options on how to address mitigation efforts.
"As part of this, we have developed a method to detect L1TF-based exploits during system operation, applying mitigation only when necessary," Culbertson said. "We have provided pre-release microcode with this capability to some of our partners for evaluation, and hope to expand this offering over time."
Intel’s stock slipped less than 1 percent to $48.13 on Tuesday afternoon.