Downfall (security vulnerability)

From HandWiki
Short description: Computer security vulnerability
Downfall
CVE identifier(s)CVE-2022-40982
Affected hardware6-11th gen Intel Core CPUs
Websitehttps://downfall.page/

Downfall, known as Gather Data Sampling (GDS) by Intel,[1] is a computer security vulnerability found in 6th through 11th generations of consumer and 1st through 4th generations of Xeon Intel x86-64 microprocessors.[2] It is a transient execution CPU vulnerability which relies on speculative execution of Advanced Vector Extensions (AVX) instructions to reveal the content of vector registers.[3][4]

Vulnerability

Intel's Software Guard Extensions (SGX) security subsystem is also affected by this bug.[4]

The Downfall vulnerability was discovered by the security researcher Daniel Moghimi, who publicly released information about the vulnerability in August 2023, after a year-long embargo period.[5][6]

Intel promised microcode updates to resolve the vulnerability.[1] The microcode patches have been shown to significantly reduce the performance of some heavily-vectorized loads.[7]

Patches to mitigate the effects of the vulnerability have also been created as part of the forthcoming version 6.5 release of the Linux kernel.[8] They include code to disable the AVX extensions entirely on CPUs for which microcode mitigation is not available.[9]

Vendor responses

References

  1. 1.0 1.1 "Gather Data Sampling / CVE-2022-40982 / INTEL-SA-00828" (in en). https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/gather-data-sampling.html. 
  2. "Affected Processors: Transient Execution Attacks & Related Security..." (in en). https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html. 
  3. Newman, Lily Hay. "New 'Downfall' Flaw Exposes Valuable Data in Generations of Intel Chips" (in en-US). Wired. ISSN 1059-1028. https://www.wired.com/story/downfall-flaw-intel-chips/. Retrieved 2023-08-08. 
  4. 4.0 4.1 Ilascu, Ionut (2023-08-08). "New Downfall attacks on Intel CPUs steal encryption keys, data" (in en-us). https://www.bleepingcomputer.com/news/security/new-downfall-attacks-on-intel-cpus-steal-encryption-keys-data/. 
  5. Wright, Rob (2023-08-08). "Google unveils 'Downfall' attacks, vulnerability in Intel chips" (in en). https://www.techtarget.com/searchsecurity/news/366547448/Google-unveils-Downfall-attacks-vulnerability-in-Intel-chips. 
  6. Larabel, Michael (2023-08-08). "Intel DOWNFALL: New Vulnerability Affecting AVX2/AVX-512 With Big Performance Implications" (in en). https://www.phoronix.com/review/downfall. 
  7. Liu, Zhiye (2023-08-10). "Intel's Downfall Mitigations Drop Performance Up to 39%, Tests Show" (in en). https://www.tomshardware.com/news/intel-downfall-mitigation-performance-drop-linux. 
  8. Larabel, Michael (2023-08-08). "Linux 6.5 Patches Merged For Intel GDS/DOWNFALL, AMD INCEPTION" (in en). https://www.phoronix.com/news/Linux-Git-INCEPTION-DOWNFALL. 
  9. Corbet, Jonathan (August 8, 2023). "Another round of speculative-execution vulnerabilities". https://lwn.net/Articles/940783/. 
  10. "CVE-2022-40982 - Gather Data Sampling - Downfall". 2023-08-08. https://aws.amazon.com/security/security-bulletins/AWS-2023-007/. 
  11. "Citrix Hypervisor Security Bulletin for CVE-2023-20569, CVE-2023-34319 and CVE-2022-40982". https://support.citrix.com/article/CTX569353/citrix-hypervisor-security-bulletin-for-cve202320569-cve202334319-and-cve202240982. 
  12. "DSA-2023-180: Security Update for Intel Product Update 2023.3 Advisories | Dell US". https://www.dell.com/support/kbdoc/en-us/000216234/dsa-2023-180. 
  13. "CVE-2022-40982". https://security-tracker.debian.org/tracker/CVE-2022-40982. 
  14. "Security Bulletins | Customer Care". https://cloud.google.com/support/bulletins. 
  15. "Intel 2023.3 IPU – BIOS August 2023 Security Updates | HP® Customer Support". https://support.hp.com/us-en/document/ish_9021973-9021997-16/hpsbhf03859. 
  16. "INTEL-SA-00828". 2023-08-08. https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html. 
  17. "Multi-vendor BIOS Security Vulnerabilities (August 2023) - Lenovo Support US". https://support.lenovo.com/us/en/product_security/LEN-134879. 
  18. "KB5029778: How to manage the vulnerability associated with CVE-2022-40982 - Microsoft Support". https://support.microsoft.com/en-us/topic/kb5029778-how-to-manage-the-vulnerability-associated-with-cve-2022-40982-d461157c-0411-4a91-9fc5-9b29e0fe2782. 
  19. "QSB-093: Transient execution vulnerabilities in AMD and Intel CPUs (CVE-2023-20569/XSA-434, CVE-2022-40982/XSA-435)". August 9, 2023. https://forum.qubes-os.org/t/qsb-093-transient-execution-vulnerabilities-in-amd-and-intel-cpus-cve-2023-20569-xsa-434-cve-2022-40982-xsa-435/20299. 
  20. "cve-details". https://access.redhat.com/security/cve/cve-2022-40982. 
  21. "Intel Platform Update (IPU) Update 2023.3, August 2023 | Supermicro". https://www.supermicro.com/en/support/security_Intel_IPU2023.3_Update. 
  22. "CVE-2022-40982". https://ubuntu.com/security/CVE-2022-40982. 
  23. https://blogs.vmware.com/security/2023/08/cve-2022-40982.html
  24. "oss-sec: Xen Security Advisory 435 v1 (CVE-2022-40982) - x86/Intel: Gather Data Sampling". https://seclists.org/oss-sec/2023/q3/98. 

External links