Downfall vulnerability impacts various Intel microprocessors and enables encryption keys, passwords, and other sensitive data exfiltration. The flaw was dubbed CVE-2022-40982 and was reported to Intel by security researcher Daniel Moghimi.
The researcher provided a proof-of-concept that leverages the Gather instruction in two ways.
Intel released patches for the Downfall vulnerability that impacts recently sold microprocessors and also older ones, produced even as far as 2014. However, the flaw does not affect Intel’s newest processors.
Details on the Exfiltration Methods
The Gather instruction is a memory optimization feature that helps access scattered data in memory faster. Moghimi discovered two ways to exploit the vulnerability:
- Gather Data Sampling (GDS), a method that enabled the user to exfiltrate AES 128-bit and 256-bit cryptographic keys on a separate virtual machine (VM).
- Gather Value Injection (GVI), a technique that combines GDS with the Load Value Injection (LVI) technique that was revealed in 2020.
Threat actors that are on the same physical processor core could leverage the Downfall flaw to exfiltrate:
- passwords,
- encryption keys,
- emails and messages,
- banking info.
Which Intel Products Are at Risk?
According to BleepingComputer, the vulnerability does not work on Alder Lake, Raptor Lake, and Sapphire Rapids. The three vulnerable families of processors are:
- Skylake, with Skylake, Cascade Lake, Cooper Lake, Amber Lake, Kaby Lake, Coffee Lake, Whiskey Lake, and Comet Lake.
- Tiger Lake
- Ice Lake, with Ice Lake, and Rocket Lake
General Impact and Mitigation Measures
Daniel Moghini notified Intel about his discovery on August 24th, 2022, and collaborated with them to help prevent further risk. The researcher claims that users were exposed to the Downfall flaw for more than nine years, as the impacted processors were available to the public starting in 2014.
While Intel advises users to update devices to the latest version, Moghini also had four recommendations:
- Disable simultaneous multithreading (SMT). The measure partially mitigates GDS and GVI attacks. However, the user will observe a 30% loss in performance.
- Deny affected instructions through the OS and the compiler to avoid them leaking sensitive data to Gather. Some apps could work poorly because of this.
- Disable Gather and mind the fact that software using it will work slower or crash.
- Prevent transient data forwarding once Gather can mitigate Downfall.
The Downfall vulnerability impacts billions of users worldwide. Since the proof-of-concept code is already available on GitHub, patching endpoints in a timely manner is strongly recommended.
Due to the large volume of impacted devices, automated patch management solutions help security admins save precious time and resources. Get a free demo of Heimdal`s automated patch management tool to evaluate the benefits.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
Heimdal® Patch & Asset Management
- Create policies that meet your exact needs;
- Full compliance and CVE/CVSS audit trail;
- Gain extensive vulnerability intelligence;
- And much more than we can fit in here...