A new security vulnerability, called Downfall, was revealed today by Intel and the researcher who discovered it, Daniel Moghimi. The new attack uses Gather Data Sampling to steal data and other sensitive information from other users on a computer with Intel processors from 2015 through 2019 ranging from sixth gen Skylake through eleventh gen Rocket Lake and Tiger Lake.
Intel has posted about the vulnerability in a security advisory, INTEL-SA-00828, and has reserved CVE-2022-40982.
Moghami, a senior research scientist at Google (and formerly of the University of California San Diego posted details on downfall.page.
"The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software," Moghami wrote. "This allows untrusted software to access data stored by other programs, which should not be normally be accessible. I discovered that the Gather instruction, meant to speed up accessing scattered data in memory, leaks the content of the internal vector register file during speculative execution."
On the page, Moghami shows demos stealing 128-bit and 256-bit AES keys from other users, as well as spying on typed characters and taking data from the Linux kernel. He suggests that even if you don't own an Intel powered-device, Intel's dominance in the server market means that everyone on the internet is affected, and that "in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer."
Intel is releasing microcode for its affected chips. The company "recommends that users of affected Intel Processors update to the latest version firmware provided by the system manufacturer that addresses these issues." If you're not using Intel SGX, a hardware-based memory encryption technology from Intel, you can load it from the operating system.
In a statement to Tom's Hardware, Intel wrote: "The security researcher, working within the controlled conditions of a research environment, demonstrated the GDS issue which relies on software using Gather instructions. While this attack would be very complex to pull off outside of such controlled conditions, affected platforms have an available mitigation via a microcode update. Recent Intel processors, including Alder Lake, Raptor Lake and Sapphire Rapids, are not affected. Many customers, after reviewing Intel's risk assessment guidance, may determine to disable the mitigation via switches made available through Windows and Linux operating systems as well as VMMs. In public cloud environments, customers should check with their provider on the feasibility of these switches.”
The overhead, per Moghami and Intel, could be as high as 50% depending on if a workload uses Gather. Notably, Intel will have an "opt-out mechanism" in the microcode that allows the mitigation for Downfall to be disabled in order to "avoid the performance impact on certain vectorization-heavy workloads."
The researcher recommends against opting out: "This is a bad idea. Even if your workload does not use vector instructions, modern CPUs rely on vector registers to optimize common operations, such as copying memory and switching register content, which leaks data to untrusted code exploiting Gather."
Moghami will present Downfall at the BlackHat USA conference on August 9 and USENIX Security Symposium on August 11. His technical paper can be found here.
Newer Intel chips, like 12th Gen Alder Lake, 13th Gen Raptor Lake, and Sapphire Rapids server chips aren't affected.
Updated August 9 with comment from Intel.
