Intel Downfall: Severe flaw in billions of CPUs leaks passwords, more | PCWorld
Q9GDYExtCh
0xloem+Q9GDYExtCh at gmail.com
Wed Aug 16 03:08:58 PDT 2023
Imagining a future of universal access. Maybe a fair playing field of
complete insecurity is more likely than the opposite.
https://www.pcworld.com/article/2025589/downfall-serious-security-vulnerability-in-billions-of-intel-cpus-how-to-protect-yourself.html
UPDATED
# Intel ‘Downfall’: Severe flaw in billions of CPUs leaks passwords
and much more
There is a serious security flaw in billions of Intel CPUs that can
let attackers steal confidential data like passwords and encryption
keys. Firmware updates can fix it, but at a potential significant
performance loss.
By Hans-Christian Dirscherl
Redakteur, PCWorld AUG 12, 2023 7:00 AM PDT
Well this is bad. “Downfall” is the name Daniel Moghimi, a security
expert at Google, has given to a new vulnerability he has discovered
in several generations of Intel processors. Attackers can exploit the
vulnerability and read data from other programs and memory areas. The
vulnerability has already been reported as CVE-2022-40982[1] and Intel
confirmed the flaw here[2] .
Moghimi reported the vulnerability to Intel on August 24, 2022, but
only made the vulnerability public on August 9, 2023 so that Intel had
time to release microcode updates that can fix the vulnerability.
Update: Intel’s Downfall was closely followed by AMD’s Inception, a
newfound security hole affecting all Ryzen and Epyc processors. The
first independent testing of the mitigation microcode patches show
that it can drastically lower performance in certain workloads. We’ve
included details throughout this post.
## Intel’s ‘Downfall’ flaw is serious
Moghimi explains the vulnerability in detail on a dedicated Downfall
website[3], including some examples. According to him, billions of
Intel processors are affected, which are used in private user
computers as well as in cloud servers. The expert describes the
possible consequences of the gap as follows:
“This vulnerability, identified as CVE-2022-40982, enables a user to
access and steal data from other users who share the same computer.
For instance, a malicious app obtained from an app store could use the
Downfall attack to steal sensitive information like passwords,
encryption keys, and private data such as banking details, personal
emails, and messages. Similarly, in cloud computing environments, a
malicious customer could exploit the Downfall vulnerability to steal
data and credentials from other customers who share the same cloud
computer.”
Daniel Moghimi
## How the Intel Downfall vulnerability works
While you should check out Moghimi’s Downfall page for more detailed
information, here’s a high-level description of the bug:
“The vulnerability is caused by memory optimization features in Intel
processors that unintentionally reveal internal hardware registers to
software. This allows untrusted software to access data stored by
other programs, which should not be normally be accessible.”
Daniel Moghimi
## How to protect yourself from Intel Downfall
Intel is already providing microcode updates to plug the security
hole. “Intel recommends that users of affected Intel Processors update
to the latest version firmware provided by the system manufacturer
that addresses these issues,” the company says.
This can lead to a loss of performance of up to 50 percent under
certain circumstances, however, as Moghimi warns. Intel comments on
the side effects of the microcode updates here[4]. The first
independent testing of the mitigation microcode, by the specialist
Linux site Phoronix, showed performance losses up to 39 percent in
select server and ray tracing workloads. There’s an opt-out mechanism
available to avoid applying the patch, but Intel claims most consumer
software shouldn’t see much impact, outside of image and video editing
workloads..
## Which Intel processors are affected?
Both consumer and server processors from Intel show the gap. For
consumers, all PCs or laptops with Intel Core processors of the 6th
“Skylake” generation up to and including the 11th-gen “Tiger Lake”
chips contain the vulnerability. This means that the vulnerability has
existed since at least 2015, when Skylake was released.
Intel’s corresponding Xeon processors are also at risk to Downfall.
Due to Intel’s dominant position in server processors, virtually every
internet user could be affected, at least indirectly.
Intel has published a list of all affected processors here[5]. You can
read a detailed technical analysis by the Google security expert in
this English-language PDF[6].
Intel’s newer 12th-gen and 13th-gen Core processors are not affected.
[Here the article contains an AI search box with example questions
regarding the vulnerability.]
The downfall vulnerability now discovered is reminiscent of the
legendary Meltdown and Spectre[7] vulnerabilities from 2018.
Update: Intel’s Downfall was closely followed by AMD’s Inception: Many
Ryzen CPUs from Intel’s archrival also have a serious security hole[8]
that allows attackers to spy on third-party data. It is classified as
CVE-2023-20569[9] and was discovered by scientists from ETH Zurich.
Detailed information about this AMD vulnerability can be found on this
website[10].
[
Here are some further links regarding Inception from [10]:
Although TTE attacks are interesting, they are not necessarily trivial
to pull off, due to the need for specific gadgets in the victim code.
Instead of these hard-to-find gadgets, what if there was an easier way
to achieve a transient window for training? This is where Phantom
speculation comes in. Phantom (CVE-2022-23825[11]) enables an attacker
to create a transient window at arbitrary instructions. Suddenly, a
seemingly harmless XOR instruction can behave like a call instruction,
and allow the attacker to create a transient window.
…
A paper[12] about Inception is going to be presented at USENIX
Security 2023[13] and a paper[14] about Phantom speculation is going
to be presented at MICRO 2023[15]. You can find the source code of
Inception on our Github[16]. We will publish the source code of
Phantom at a later date.
]
According to the researchers, all Zen processors are affected. This
means all Ryzen and Epyc CPUs released by AMD over the years contain
the Inception security vulnerability. AMD recommends installing
microcode updates. Microsoft distributed a Windows update in July that
closes this gap. “AMD believes this vulnerability is only potentially
exploitable locally, such as via downloaded malware, and recommends
customers employ security best practices, including running up-to-date
software and malware detection tools,” AMD says.
This article was translated from German to English and originally
appeared on pcwelt.de. It originally published on August 9, 2023, but
was updated to mention AMD’s Inception bug and the first independent
performance testing of the mitigation microcode.
[
Here are more links regarding Downfall from [3]:
[Q] How can I learn more about Downfall?
[A] In addition to the technical paper[6], I am presenting Downfall at
the BlackHat USA on August 9th, 2023[17] and USENIX Security Symposium
on August 11, 2023[18].
[Q] Can I play with Downfall?
[A] Here is the code: https://github.com/flowyroll/downfall/tree/main/POC[19]
[Q] Why is this called Downfall?
[A] Downfall defeats fundamental security boundaries in most computers
and is a successor to previous data leaking vulnerabilities in CPUs
including Meltdown[20] and Fallout (AKA MDS)[21]. In this trilogy,
Downfall defeats all previous mitigations once again.
[Q] How did you create the logo?
[A] I used the DALL·E 2 AI[22] system to create the logo.
]
1: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982
2:: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html
3: https://downfall.page/
4: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/resources/gds-mitigation-performance-analysis.html
5: https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
6: https://downfall.page/media/downfall.pdf [attached]
7: https://www.pcworld.com/article/407763/intel-x86-cpu-kernel-bug-faq-how-it-affects-pc-mac.html
8: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html
9: https://nvd.nist.gov/vuln/detail/CVE-2023-20569
10: https://comsec.ethz.ch/research/microarch/inception/
11: https://www.cve.org/CVERecord?id=CVE-2022-23825
12: https://comsec.ethz.ch/wp-content/files/inception_sec23.pdf [attached]
13: Link was broken, found from websearch, event already passed:
https://www.usenix.org/conference/usenixsecurity23
14: https://comsec.ethz.ch/wp-content/files/phantom_micro23.pdf [attached]
15: Toronto, CA https://microarch.org/micro56/
16: https://github.com/comsec-group/inception
17: https://www.blackhat.com/us-23/briefings/schedule/
18: https://www.usenix.org/conference/usenixsecurity23/presentation/moghimi
19: https://github.com/flowyroll/downfall/tree/main/POC
20: https://meltdownattack.com/
21: https://mdsattacks.com/
22: https://openai.com/dall-e-2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: downfall.pdf
Type: application/pdf
Size: 337607 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20230816/45030447/attachment-0003.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: inception_sec23.pdf
Type: application/pdf
Size: 419865 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20230816/45030447/attachment-0004.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: phantom_micro23.pdf
Type: application/pdf
Size: 343904 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20230816/45030447/attachment-0005.pdf>
More information about the cypherpunks
mailing list