What just happened? Potentially concerning news for owners of Intel CPUs launched between 2015 and 2019: a new security vulnerability has been discovered that could allow attackers who share the same computer to steal sensitive data from users, including passwords, encryption keys, emails, and more. Fixes are on their way, but in some cases they could come with a massive performance hit.
Google researcherer Daniel Moghimi discovered the new vulnerability, dubbed Downfall. He writes that it is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software, allowing untrusted software to access data stored by other programs, which should not normally be accessible.
"I discovered that the Gather instruction, meant to speed up accessing scattered data in memory, leaks the content of the internal vector register file during speculative execution," wrote Moghimi.
"Memory operations to access data that is scattered in memory are very useful and make things faster, but whenever things are faster there's some type of optimization – something the designers do to make it faster," the researcher added. "Based on my past experience working on these types of vulnerabilities, I had an intuition that there could be some kind of information leak with this instruction."
Downfall affects processors with the AVX2 and AVX-512 instruction sets, which means the newer 12th-gen Alder Lake, 13th-gen Raptor Lake, and Sapphire Rapids aren't impacted. But the 6th-gen Skylake processors up to the 11th-gen Rocket Lake and Tiger Lake CPUs are at risk.
However, even those who don't own one of these processors could be vulnerable as Intel has a more than 70% share of the server market. As the researcher puts it, everyone on the internet is most likely affected. "[…] in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer."
Moghimi demonstrated Downfall by stealing 128-bit and 256-bit AES keys from another user, arbitrary data from the Linux Kernel, and spying on printable characters.
Intel, which refers to the flaw as Gather Data Sampling (GDS), has already issued a security advisory (INTEL-SA-00828) and reserved CVE-2022-40982 as the CVE-ID. The company is releasing microcode for the impacted chips that blocks transient results of gather instructions and prevent attacker code from observing speculative data from Gather. The caveat is that the overhead could be as high as 50% depending on whether Gather is in the critical execution path of a program. Intel says it has not observed reduced performance for most workloads.
There will be an opt-out mechanism in the microcode that allows the mitigation to be disabled, thereby avoiding the performance hit, but Moghimi says this is a bad idea as "even if your workload does not use vector instructions, modern CPUs rely on vector registers to optimize common operations, such as copying memory and switching register content, which leaks data to untrusted code exploiting Gather."
This is the second major vulnerability we've seen in as many weeks. Zenbleed, which affects Ryzen 3000/4000/5000 CPUs and the Epyc enterprise processors, can be used to steal sensitive data such as passwords and encryption keys. It can be carried out remotely, too.