In a statement on Tuesday, an Intel spokesperson said the company had been notified of research from Vrije Universiteit Amsterdam, which outlined a potential side-channel analysis vulnerability.
Details of TLBleed — so named because the flaw targets the Translation Lookaside Buffer, a CPU cache — were leaked to the British tech site, The Register, on Friday. A paper on the topic is scheduled to be presented at the Black Hat USA 2018 conference in August.
Last week, OpenBSD project leader Theo de Raadt told iTWire that he could not reveal details about the flaw which he said the Dutch researchers had shared with the project. In the meantime, as a precaution, OpenBSD, which is used on some of the servers with the longest uptimes, had removed support for hyperthreading, he added.
Later in the day, De Raadt outlined some of the difficulties he could visualise in patching TLBleed, ending with the sarcastic comment, "This Intel CPU is amazing. They sure are keeping it fresh and new!"
In its Tuesday statement, Intel said: "Research on side-channel analysis methods often focuses on manipulating and measuring the characteristics (e.g. timing) of shared hardware resources. These measurements can potentially allow researchers to extract information about the software and related data.
"TLBleed uses the Translation Lookaside Buffer, a cache common to many high-performance microprocessors that stores recent address translations from virtual memory to physical memory.
"Software or software libraries such as Intel Integrated Performance Primitives Cryptography version U3.1 — written to ensure constant execution time and data independent cache traces — should be immune to TLBleed.
"Protecting our customers’ data and ensuring the security of our products is a top priority for Intel and we will continue to work with customers, partners and researchers to understand and mitigate any vulnerabilities that are identified.”
Intel was asked why the company resisted obtaining a a Common Vulnerabilities and Exposures number for TLBleed and also why the company was unwilling to pay the researchers a bug bounty.
iTWire has been given to understand that Intel had issued CVE-2018-3691 earlier this year which dealt with a vulnerability in the Intel Integrated Performance Primitives Cryptography (impacting versions prior to 2018 U2.1).
The fix to patch that flaw, which is included in versions 2018 U2.1 and 2018 U3.1, ensured constant execution time and is expected to render exploits based on TLBleed ineffective.
iTWire also understands that the bug report by the Vrije Universiteit Amsterdam researchers did not meet all of the requirements of Intel's bug bounty program.
The CVE system, a catalogue of known security threats sponsored by the US Department of Homeland Security, provides a reference method for publicly known vulnerabilities and exposures.