Intel knew about the Downfall CPU vulnerability but did nothing for five years, a new...

[Alfonso Maruccia]

WTF?! Downfall is the most recent of a long series of security vulnerabilities discovered in Intel processors during the past few years. According to a new class action, Chipzilla was well aware of the flaw's existence but chose to keep it a secret by selling vulnerable products.

A class action filed in a US federal court in San Jose, California, states that Intel was informed about the Downfall vulnerability in 2018, but the company didn't fix the issue in its processors and the flaw was independently rediscovered in 2023. Intel left customers with vulnerable CPUs, which later turned into crippled products because of performance-killing mitigations.

Also known as Gather Data Sampling (GDS), Downfall (CVE-2022-40982) is a security flaw affecting the 6th through 11th generations of consumer chips and the 1st through 4th generations of Xeon Intel x86-64 CPUs. The transient execution flaw affects Advanced Vector Extensions (AVX) instructions present in modern Intel CPUs, and it can be exploited to reveal the content of vector registers.

Billions of Intel CPUs used in personal and cloud computers can be forced to reveal secret user data, Google researchers who discovered the flaw explained. The "Gather" AVX CPU instruction leaks the content of the internal vector register file during speculative execution, and a malicious actor could exploit the flaw to steal passwords, encryption keys, banking details, and more.

According to the five plaintiffs promoting the new class action, Intel was informed about Downfall by two separate reports in 2018. The company was busy dealing with the Spectre and Meltdown flaws in its CPU architecture at the time, and seemingly decided to overlook the Downfall vulnerability in the AVX instructions. Furthermore, microcore updates later released by Intel can slow CPU performance by as much as 50% for certain "ordinary computing tasks," the lawsuit claims.

Owners of modern(ish) Intel CPUs are now left with defective products that are either "egregiously vulnerable" to attacks or must be slowed down "beyond recognition" to fix the Downfall flaw, the class action states. They are not the CPUs the plaintiffs purchased, as they perform "quite differently" and are worth much less.

Intel didn't fix Downfall for three more generations of its x86 chips, and now customers that use software for photo and video editing, gaming, and encryption must unfairly pay for the company's negligence. Even worse, the class action claims that Intel has implemented some "secret buffers" related to the AVX flawed instructions, but it didn't publicly disclose their existence.

Coupled with the Downfall vulnerability, these secret buffers acted as a backdoor in Intel's CPUs. An attacker could have exploited the design flaw to obtain sensitive information stored in RAM. In 2018, Intel publicly stated that it implemented hardware fixes for Meltdown and Spectre, but the company was aware of the fact that the AVX instructions allowed a similar side-channel attack. So far, Intel has declined to comment on the class action.

Permalink to story.

https://www.techspot.com/news/100814-intel-knew-about-downfall-cpu-vulnerability-but-did.html

 

[HardReset]

No surprise there. Intel decided not to change ready microarchitectures. Too bad for them, manufacturing process problems meant those microarchitectures were delayed for years and so this flaw is much more widespread than it should have been.

 

[Bobbygdue]

No surprise there. Intel decided not to change ready microarchitectures. Too bad for them, manufacturing process problems meant those microarchitectures were delayed for years and so this flaw is much more widespread than it should have been.

There is no such thing as a flawless CPU, such a thing will never exist. Furthermore, this and many other "vulnerabilities" still need local access and need to be authenticated either of those will compromise a system anyway. No one has actually exploited any of these so-called vulnerabilities in the real world due to the difficulty of getting local access and needing to be or appear to be an authenticated user.

 

[rmcrys]

There is no such thing as a flawless CPU, such a thing will never exist. Furthermore, this and many other "vulnerabilities" still need local access and need to be authenticated either of those will compromise a system anyway.

Fact 1) it doesn’t matter only when your house got robbed, if the alarm company sold you an alarm with a good and slick performance but then , after an update, -even without an entry break- the alarm runs very slow and sluggish…it isn’t what you bought.

Fact 2) Intel knew about the issues on a X date. After that day they had two options: A) hold the release on a year or two (and sell the chips on a discount with a warning that they will get a software release that slows down the chip) until they release a fixed architecture (best option but with greater losses). Option B) do what Intel did, they earn a lot of money with time-bombed architectures, so they can sell them but…a couple of years later you know the performance won’t cut it and you’ll want to upgrade…again. A bit like Apple slowed some models down due to battery degradation: they knew that after 2-3 years of charges those phones wouldn’t cut it and people would have two reasons to upgrade… (bad for the costumer, very good for the stock holders)

 

[HardReset]

There is no such thing as a flawless CPU, such a thing will never exist. Furthermore, this and many other "vulnerabilities" still need local access and need to be authenticated either of those will compromise a system anyway. No one has actually exploited any of these so-called vulnerabilities in the real world due to the difficulty of getting local access and needing to be or appear to be an authenticated user.

Servers are big risk since getting local access (but not physical one) is not that hard. This vulnerability allows to get data from process using same physical core and that may happen quite often unless processes from different users are restricted for certain cores.

Exploiting these may be hard but for some reason manufacturers prefer not to take unnecessary risks.

 

[Bobbygdue]

Fact 1) it doesn’t matter only when your house got robbed, if the alarm company sold you an alarm with a good and slick performance but then , after an update, -even without an entry break- the alarm runs very slow and sluggish…it isn’t what you bought.

Fact 2) Intel knew about the issues on a X date. After that day they had two options: A) hold the release on a year or two (and sell the chips on a discount with a warning that they will get a software release that slows down the chip) until they release a fixed architecture (best option but with greater losses). Option B) do what Intel did, they earn a lot of money with time-bombed architectures, so they can sell them but…a couple of years later you know the performance won’t cut it and you’ll want to upgrade…again. A bit like Apple slowed some models down due to battery degradation: they knew that after 2-3 years of charges those phones wouldn’t cut it and people would have two reasons to upgrade… (bad for the costumer, very good for the stock holders)

"it doesn’t matter only when your house got robbed, if the alarm company sold you an alarm with a good and slick performance but then , after an update, -even without an entry break- the alarm runs very slow and sluggish…it isn’t what you bought."
You don't understand the vulnerability: Someone has to break into the server and appear to be authenticated before exploiting this vulnerability. Breaking into the house isn't part of the vulnerability.

I'll say it again in a different way: this vulnerability can't be exploited until a person breaks into a server and gains authenticated access. At that point the vulnerability doesn't matter the threat could take or delete all of the data to decrypt at their leisure. Your analogy doesn't work because you think this vulnerability lets people break into a device when that isn't the case.

 

[Bobbygdue]

Servers are big risk since getting local access (but not physical one) is not that hard. This vulnerability allows to get data from process using same physical core and that may happen quite often unless processes from different users are restricted for certain cores.

Exploiting these may be hard but for some reason manufacturers prefer not to take unnecessary risks.

"Servers are big risk since getting local access (but not physical one) is not that hard." You don't know what you are talking about. Companies that need to encrypt all of their data have multiple layers of security making it difficult to gain local authenticated access. If you think it's simple you don't know. Local authenticated access gives someone the right to delete or steal all the data on the server.

 

[HardReset]

"Servers are big risk since getting local access (but not physical one) is not that hard." You don't know what you are talking about. Companies that need to encrypt all of their data have multiple layers of security making it difficult to gain local authenticated access. If you think it's simple you don't know. Local authenticated access gives someone the right to delete or steal all the data on the server.

Servers that offer cloud and/or virtualization services to multiple people usually grant local access. As without it, services they offer are pretty much useless. Access they offer is supposed to be limited but with vulnerabilities it is not so much limited.

I have local access for many servers and still I cannot steal Everything from any of those servers.

 

[rmcrys]

You don't understand the vulnerability: Someone has to break into the server and appear to be authenticated before exploiting this vulnerability. Breaking into the house isn't part of the vulnerability.

You don’t understand: the biggest issue is NOT if it’s easy to get in. The biggest issue is that the PATCH that slows down the chip will be for all people and will slow down all PCs, even on people which wouldn’t have ever an issue with the vulnerability.

To rap up: useful for you or not, you will get the negative aspects from the software patch.

 

[ibnMuhammad]

Furthermore, this and many other "vulnerabilities" still need local access and need to be authenticated either of those will compromise a system anyway.

Following on from @rmcrys...

Fact 3: some of Intel's chip vulnerabilities don't require local / physical access to machine, and surprisingly can be exploited remotely, even using Javascript!

Both Spectre and Meltdown can be exploited using a web browser and malicious javascript code to take advantage of speculative execution.

And unfortunately, both Downfall and Hertzbleed can be exploited remotely, especially on servers running virtual machines.

Here's the Downfall white-paper which goes into more detail on exploiting the "secure enclave" on Intel cpu's to leak data:
https://downfall.page/media/downfall.pdf

Although certain AMD zen-based cpu's (along with ARM cpu's) are also vulnerable to a few attacks, such as Spectre and Meltdown, such as through javascript:
https://www.securityweek.com/hackers-expected-remotely-exploit-cpu-vulnerabilities/

... regardless, it's safer to buy AMD as Intel helps the apartheid regime.

 

[Theinsanegamer]

Following on from @rmcrys...

Fact 3: some of Intel's chip vulnerabilities don't require local / physical access to machine, and surprisingly can be exploited remotely, even using Javascript!

Both Spectre and Meltdown can be exploited using a web browser and malicious javascript code to take advantage of speculative execution.

And unfortunately, both Downfall and Hertzbleed can be exploited remotely, especially on servers running virtual machines.

Here's the Downfall white-paper which goes into more detail on exploiting the "secure enclave" on Intel cpu's to leak data:
https://downfall.page/media/downfall.pdf

Although certain AMD zen-based cpu's (along with ARM cpu's) are also vulnerable to a few attacks, such as Spectre and Meltdown, such as through javascript:
https://www.securityweek.com/hackers-expected-remotely-exploit-cpu-vulnerabilities/

Ummm....no?

https://www.anandtech.com/show/12214/understanding-meltdown-and-spectre
These are read-only (information disclosure) attacks

That took 2 seconds to google.

https://downfall.page/#faq
[Q] What about web browsers?

[A] In theory, remotely exploiting this vulnerability from the web browser is possible. In practice, demonstrating successful attacks via web browsers requires additional research and engineering efforts.

So downfall COULD be remote. Possibly. Not guaranteed. Assuming you share the same physical CPU of course. It's not been demonstrated to be possible in actual production environments though.

As for hertzbleed: https://www.digitaltrends.com/compu...ability-exposes-crypto-keys-on-intel-and-amd/
"What’s perhaps more worrying is that Hertzbleed doesn’t require physical access — it can be exploited remotely......According to Intel, it takes anywhere between several hours to several days to steal a cryptographic key. If someone would still want to try, they might not even be able to, because it requires advanced high-resolution power monitoring capabilities that are difficult to replicate outside of a lab environment. Most hackers wouldn’t bother with Hertzbleed when plenty of other vulnerabilities are discovered so frequently."

So if someone manages to remotely attack with lab equipment, you can worry. Of course, you're more likely to get hit with a meteorite...twice, on the same day, AND win the lottery.

A whole lot of pearl clutching over something highly unlikely.

... regardless, it's safer to buy AMD as Intel helps the apartheid regime.

The what now? Are we going full sovereign citizen here?

 

[ibnMuhammad]

Ummm....no?

These are read-only (information disclosure) attacks

"What’s perhaps more worrying is that Hertzbleed doesn’t require physical access — it can be exploited remotely......According to Intel, it takes anywhere between several hours to several days to steal a cryptographic key."

Thanks for proving exactly what I wrote!

The entire point of these exploits is to carry-out read-only attacks, not write your own crypto keys and passwords into another machine!

And worse still, there won't be any way to tell if it has already been exploited.

Of course, you're more likely to get hit with a meteorite...twice, on the same day, AND win the lottery.

A whole lot of pearl clutching over something highly unlikely.

I don't think you understood or even read the links you posted.

There is already code available (on github for demonstration) of exploiting both hertzbleed and downfall on an i7-9700 and i7-8700 cpu respectively, there was also a video published demonstrating the attack.

These attacks aren't that difficult if a person has enough patience, though some types of these exploits are most likely to be done by state sponsored terrorists, such as US/Israel with stuxnet.