The “Downfall” Effect: Intel CPUs May Leak Sensitive Information

On August 9, Intel and the discoverer of the vulnerability, Daniel Moghimi, unveiled a fresh exploit named Downfall. This newly identified attack leverages the technique of Gather Data Sampling to illicitly acquire data and confidential information from users of a computer equipped with Intel processors manufactured between the years 2014 to 2021. The affected processor range encompasses the sixth-generation Skylake up to the eleventh-generation Rocket Lake and Tiger Lake.

About the Vulnerability Used in Downfall Exploit (CVE-2022-40982)

Senior research scientist at Google, Daniel Moghimi, unveiled a pair of attack techniques named “Downfall,” targeting the recently disclosed vulnerability CVE-2022-40982 (CVSS score: 6.5), which holds a medium-severity rating. This vulnerability stems from a memory optimization feature in Intel CPUs, inadvertently causing the exposure of internal hardware registers. Through the exploitation of a specific instruction called “gather” a malicious entity sharing a computing environment could potentially infiltrate data owned by other users and applications. This encompassing data could range from sensitive banking information and encryption keys to kernel-level details.

On the webpage, Moghami provides demonstrations illustrating the extraction of 128-bit and 256-bit AES keys from users and the ability to covertly observe typed characters and extract information from the Linux kernel. He proposes that the widespread prevalence of Intel in the server market implies that the vulnerability impacts everyone on the internet, even if they do not possess an Intel-powered device. Furthermore, he highlights the potential risks in cloud computing scenarios, suggesting that a malicious customer could leverage the Downfall vulnerability to steal data and authentication details from other customers utilizing the same cloud-based computing resource. 

Researchers have previously discovered that a staggering 62% of AWS environments could be at risk from the recently disclosed Zenbleed vulnerability(CVE-2023-20593) found in AMD Zen 2 processors. This underscores the notion that the potential impact of the vulnerability on Intel CPUs could be even more profound, resembling a significant “downfall.”

Affected Processors

Systems equipped with Intel processors spanning the period from 2015 to 2019, encompassing the sixth-generation Skylake through the eleventh-generation Rocket Lake and Tiger Lake, are affected by this issue.

Intel has officially addressed this vulnerability in a security advisory labeled INTEL-SA-00828 and has reserved the CVE-2022-40982. For the complete list of affected products, check this link.

Mitigation for Downfall

Moghimi alerted Intel to the Downfall vulnerability last August, leading to Intel’s recent release of a patch to address the “gather” instruction issue. While Intel’s mitigation efforts involve microcode updates and switches, Moghimi sees these as treating symptoms rather than the core flaw. He points out that sharing internal hardware registers across security domains withoutproper isolation is the root cause of the vulnerability. This design flaw and ill-defined behaviors in certain instructions inherently expose vulnerabilities.

Consequently, the recommended mitigation strategy for users is to promptly apply updates and maintain a robust Vulnerability Intelligence. SOCRadar Vulnerability Intelligence can help you with this effort. Threat actors closely track vulnerability patterns alongside your public services and technology, seeking vulnerabilities for potential entry points. To safeguard your business from disruption, receive notifications whenever critical vulnerabilities or exploits emerge for predefined product components and associated technologies identified in your auto-discovered digital presence. Gain visibility into vulnerabilities targeted by threat actors. Obtain actionable insights and context about potentially at-risk technologies, streamlining assessment and verification procedures.