Intel 'Downfall' bug exposes keys, passwords and other confidential data

A microcode update has been released to address the issue

Intel 'Downfall' bug exposes keys, passwords and other confidential data

Image:
Intel 'Downfall' bug exposes keys, passwords and other confidential data

A security flaw affecting a range of Intel processors could enable malicious actors to steal encryption keys, passwords and private data, a senior researcher at Google has warned.

Intel is taking action by providing firmware updates along with an optional software sequence to address the potential risk posed by this vulnerability.

Referred to as CVE-2022-40982, the Downfall bug represents a transient execution side-channel issue affecting Intel processors spanning the sixth-generation Skylake series to the 11th-generation Tiger Lake chips.

The discovery of CVE-2022-40982 has been credited to Daniel Moghimi, a senior research scientist at Google.

Moghimi elaborated on his discoveries during a session at Black Hat USA 2023 held on a Wednesday. He has also provided an extensive explanation of the vulnerability on a dedicated website and in a corresponding technical paper.

As per Moghimi's assessment, a potential attacker who capitalises on this issue can retrieve sensitive data safeguarded by Software Guard eXtensions (SGX).

SGX is Intel's hardware-based memory encryption technology that segregates in-memory code and data from the software running on the system.

Moghimi's Downfall attack methods capitalise on the "gather" instruction that "leaks the content of the internal vector register file during speculative execution."

"Gather" is a part of memory optimisation within Intel processors, designed to accelerate the retrieval of scattered data from memory.

"The gather instruction appears to use a temporal buffer shared across sibling CPU threads, and it transiently forwards data to later dependent instructions, and the data belongs to a different process and gather execution running on the same core," Moghimi explained in his technical paper.

Moghimi's proof-of-concept effectively demonstrates how Downfall can be used to steal encryption keys belonging to other users on a specific server, along with various other types of data.

Downfall attacks require the attacker to be on the same physical processor core as the targeted victim, a scenario that is facilitated by the prevailing shared computing model.

Locally running malware could potentially leverage this vulnerability to pilfer confidential information.

As stated on Intel's support pages, Downfall impacts processors built upon various architectures including Skylake, Kaby Lake, Whiskey Lake, Ice Lake, Comet Lake, Coffee Lake, Rocket Lake and Tiger Lake, plus some others.

That means the majority of CPUs within Intel's 6th to 11th-generation Core line-ups intended for consumer PCs are vulnerable. These CPUs have been sold since 2015 and continue to be used in some new systems.

However, Intel's more recent 12th- and 13th-generation CPU architectures, known as Alder Lake and Raptor Lake, as well as low-end CPUs from the Atom, Pentium, and Celeron series (including Apollo Lake, Gemini Lake, Jasper Lake, and others) are not affected.

Likewise, older CPU architectures like Haswell and Broadwell are unaffected by this issue.

Moghimi characterises Downfall as a "successor" to previous speculative-execution vulnerabilities such as Meltdown and Fallout.

He reported this vulnerability to Intel in August 2022, but decided to disclose it to the public this week after allowing Intel sufficient time to develop microcode updates to rectify the vulnerability. A microcode update has now been released to address this issue.

Intel has indicated that the mitigations to counteract this bug could result in a performance reduction of up to 50% for workloads reliant on the Gather instruction.

The microcode update features an opt-out option for system software to deactivate the mitigation, thereby circumventing the performance impact. However, Moghimi advised against employing this opt-out.

In a statement, Intel said:

"The security researcher, working within the controlled conditions of a research environment, demonstrated the GDS issue, which relies on software using Gather instructions. While this attack would be very complex to pull off outside of such controlled conditions, affected platforms have an available mitigation via a microcode update. Recent Intel processors, including Alder Lake, Raptor Lake and Sapphire Rapids, are not affected.

"Many customers, after reviewing Intel's risk assessment guidance, may determine to disable the mitigation via switches made available through Windows and Linux operating systems as well as VMMs. In public cloud environments, customers should check with their provider on the feasibility of these switches."