Downfall Bug in Billions of Intel CPUs Reveals Major Design Flaw

  /     /     /  
Publicated : 23/11/2024   Category : security


Downfall Bug in Billions of Intel CPUs Reveals Major Design Flaw


A newly revealed flaw affects a good chunk of the worlds computers. A patch has been released, but broad, structural change in CPU design will be required to address the root cause.



BLACK HAT USA – Las Vegas – Wednesday, Aug. 9
 Billions of computers running on Intel processors are vulnerable to data leakage between users sharing a computer or cloud environment. CPUs developed by other vendors could be exposed, as well. Its a class of security vulnerabilities that showcases the exploitable lack of hardware isolation in most chipmakers offerings.
In
an Aug. 9 presentation at Black Hat
, Daniel Moghimi, senior research scientist at Google, revealed
Downfall, two related methods of attacks
against
CVE-2022-40982
, a newly revealed medium-severity-rated vulnerability. The bug comes from a memory optimization feature in Intel CPUs that accidentally leaks internal hardware registers. By exploiting a particular instruction — gather — a malicious actor in a shared computing environment could gain access to data belonging to other users and applications, be it banking details, encryption keys, or information within the kernel. 
Downfall affects all devices running Intel processors which were manufactured between 2014 and 2021 (Intel offered the full list of compromised and non-compromised models
in its vulnerability advisory
). 
Only the very recent 12th-gen Intel CPUs are not affected, Moghimi tells Dark Reading, but these have hardly made their way in the cloud and consumer devices in 2022–23.
Gauging just how many of the worlds computers are affected by Downfall is a daunting task. Because Intel controls
a majority of the global market share for CPUs
, Moghimi estimates there are between 1.5 and 2 billion affected devices, and even that may not cover the full extent of it.
I only claim that Intel is directly affected by this finding, but other CPU vendors may have similar issues, he adds. In fact, after discovering Downfall,
another Google researcher revealed Zenbleed,
a similar finding affecting processors developed by Intels competitor, AMD.
Downfall actually originates in a memory optimization feature of Intel x86 processors — the single instruction, multiple data (SIMD) register buffer. The SIMD register buffer stores data from different applications, enabling faster parallel processing.
With the gather instruction — which allows the processor to efficiently collect scattered data from memory — Moghimi discovered that he could, on behalf of one user or application, access data stored in the register by another. He developed two techniques for leveraging gather: Gather Data Sampling (GDS) and Gather Value Injection (GVI).
GDS is highly practical, he
wrote in a blog post
 released ahead of his Black Hat session. It took me two weeks to develop an end-to-end attack stealing encryption keys from OpenSSL, adding that the method defeats fundamental security boundaries in most computers.
All kinds of attacks could derive from this premise. A hacker could exploit gather to steal data from other users in the same cloud environment. Or a malicious application might use it to steal any kind of sensitive information stored in other apps installed on the same machine.
And while the attack only occurs between users sharing a single processor core, Moghimi noted that in theory, remotely exploiting this vulnerability from the Web browser is possible.
Since Moghimi disclosed Downfall to Intel last August, the company has been working on a fix. The company finally 
released a patch on Tuesday
, fixing the power afforded by manipulating the gather instruction.
The security researcher, working within the controlled conditions of a research environment, demonstrated the GDS issue which relies on software using Gather instructions, Intel said in a statement to Dark Reading. While this attack would be very complex to pull off outside of such controlled conditions, affected platforms have an available mitigation via a microcode update. Recent Intel processors, including Alder Lake, Raptor Lake and Sapphire Rapids, are not affected. Many customers, after reviewing Intels risk assessment guidance, may determine to disable the mitigation via switches made available through Windows and Linux operating systems as well as VMMs. In public cloud environments, customers should check with their provider on the feasibility of these switches.”
But the way Moghimi sees it, that adjustment is more of a treatment than a cure for the underlying problem. 
There is a fundamental flaw here, he says, which is that these internal hardware registers/memory units are shared across different security domains without much isolation within the hardware. As soon as you have an instruction/operation with not so well-defined behavior, this kind of design is going to expose some vulnerabilities.
Without better isolation within the hardware, he continues,
more stories like Downfall and Zenbleed
will follow. I would not be surprised if people find such issues in ARM CPUs. I would also not be surprised if someone finds out another instruction on x86 that can leak from Intel and AMD CPUs again. The current microcode fixes only modify the behavior of the instruction that leaks, but those buffers are still shared inside the CPU, and it is a matter of time until someone finds another way to exploit them.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Downfall Bug in Billions of Intel CPUs Reveals Major Design Flaw