Downfall is a Severe Flaw in Billions of Intel CPUs

Avatar img-thumbnail img-circle

in Guarding the Grid, News

A new day brings a new security breach. Ten days ago, we learned about a flaw in AMD’s Zen 2 processors, and now it seems it’s Intel’s turn. Billions of Intel processors have a security flaw that allows attackers with access to the computer to steal sensitive data such as passwords, email, messages, payment card data, and encryption keys.

The flaw is called “Downfall” and was discovered by Google security expert Daniel Moghimi. Downfall affects all Intel processors, from Skylake to IceLake. To put it bluntly, all generations of processors from the 6th to the 11th are affected; practically all processors released in the time span of 9 years, before the company released Alder Lake and Raptor Lake. The attacker, using the victim’s computer, can gain access to data that’s protected by Software Guard eXtensions (SGX) protection. This applies to home computers as well as cloud servers.

“This vulnerability, identified as CVE-2022-40982, enables a user to access and steal data from other users who share the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages. Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer.”

Moghimi sent his discovery to Intel on August 24 last year. This announcement came a year later, as Intel needed time to make the necessary changes.

A new security flaw in processors

Intel rates the vulnerability 6.5, putting it on the medium level of severity. Because access to the computer is required, Intel doesn’t place the danger that high up the ladder. Downfall is identified by code CVE-2022-40982. In order to access the sensitive data, the attacker and the victim must use the same physical core. In this case, the attacker is a malicious application.

Theoretically, there is a possibility of remote abuse, but there is no proof of concept for this.

“The gather instruction appears to use a temporal buffer shared across sibling CPU threads, and it transiently forwards data to later dependent instructions, and the data belongs to a different process and gather execution running on the same core.”

Moghimi developed two Downfall attack techniques, Gather Data Sampling (GDS) – which is also the name Intel uses to refer to the issue and Gather Value Injection (GVI) – which combines GDS with the Load Value Injection (LVI) technique.

The expert also shares several examples of exploiting the flaw in which he managed to “steal” another user’s 128-bit and 256-bit AES keys; Linux Kernel data; tracing printable characters. Exploiting the flaw, an attacker can gain access to passwords or encryption keys that can be used in other attacks. In the 100 AES-128 keys case, it takes just one try, but for the AES-256 key, the chance of success on the first try is 86%. AES-256 required more attempts because the key did not appear with the same frequency as was the case with 128.

Intel has released microcode that patches the flaw and disables the Gather data. Unfortunately, due to the patch, performance may suffer.

Notify of
Inline Feedbacks
View all comments