With Zenbleed and Inception affecting AMD when it comes to CPU exploits recently, Intel hasn’t come out unscathed. Downfall is a new CPU vulnerability that Intel has disclosed, which uses Gather Data Sampling in order to extract data and other sensitive information on a number of CPUs. These CPUs include ones from Intel’s Skylane through to Rocket Lake and Tiger Lake.
Downfall (CVE-2022-40982) was discovered by researcher Daniel Moghimi and allows a user on a shared machine to access data from other users on that machine. In a cloud computing context, this can mean that an attacker could steal data and credentials from other users who use the same shared machine, something extremely common in cloud computing environments.
How Downfall works
Downfall is caused by memory optimization features that unintentionally reveal the contents of registers to software. In turn, untrusted software can access information being accessed by other processes, which is similar to what Zenbleed achieves. This is also, yet again, another speculative execution exploit.
Branch prediction and speculative execution broadly refer to when your computer performs operations that are not yet needed but will likely be needed in subsequent cycles. It’s often done in times when your system has free resources, as it speeds up overall processing when instructions or data would otherwise not yet be ready for the CPU. If the work done is not needed, it’s typically discarded and the processor can jump back to where it needs to in order to execute the next, correct, instruction. When it does this, this is called a branch misprediction.
By abusing the Gather instruction, an instruction used for speeding up the accessing of scattered data in memory, the contents of the internal vector register file could leak during speculative execution. Moghimi shared videos showing the attack in action, and how it could be used to spy on a user’s system by craeting a program that can spy on this data when it shouldn’t be able to. The current mitigation offered by Intel could have an overhead of up to 50%, meaning that there is a fairly sizable performance impact from fixing this bug.
This bug is classed as moderate in its severity, and this is because its CVSS score is 6.5. A CVSS score essentially aims to assign a numerical value to how severe (or not) a vulnerability is, and in the case of Zenbleed and Inception, there is none publicly verifiable yet. However, on reading about Downfall, it requires very few privileges to execute and has a high violation of confidentiality. What keeps its score in the moderate category is that it requires “local” access; in other words, direct access to the machine in some way.
What can you do?
Updating when updates are available is your best bet, but that’s all you can really do currently. If you’re on a newer Intel CPU you have nothing to worry about, though Moghimi believes this to be the case as “a side effect of a significantly modified architecture” rather than something that Intel was consciously aware of. In other words, they seemingly got lucky.
In addition to a technical paper, Moghimi will be presenting Downfall at the BlackHat USA conference on August 9th, 2023 and at USENIX Security Symposium on August 11, 2023.