The details of a new side-channel attack targeting Intel processors were disclosed on Tuesday.
The attack, discovered by a researcher at Google and named Downfall, leverages a vulnerability tracked as CVE-2022-40982.
Similar to other CPU attack methods, Downfall can be exploited by a local attacker or a piece of malware to obtain sensitive information, such as passwords and encryption keys, belonging to the targeted device’s users.
This transient execution attack also works against cloud environments, allowing an attacker to steal data from other users on the same cloud computer.
“The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not be normally be accessible,” explained
Daniel Moghimi, the Google senior research scientist who discovered the flaw.
“I discovered that the Gather instruction, meant to speed up accessing scattered data in memory, leaks the content of the internal vector register file during speculative execution. To exploit this vulnerability, I introduced Gather Data Sampling (GDS) and Gather Value Injection (GVI) techniques,” Moghimi added.
Moghimi, who reported his findings to Intel one year ago, said the GDS method is “highly practical” — he has created a proof-of-concept (PoC) exploit that can steal encryption keys from OpenSSL.
Remote attacks conducted via a web browser are theoretically also possible, but additional research is needed to demonstrate such an attack.
Intel published a security advisory on Tuesday to inform customers about CVE-2022-40982, which it has rated ‘medium severity’.
“Intel is releasing firmware updates and an optional software sequence to mitigate this potential vulnerability,” the chipmaker said.
Intel Xeon and Core processors released over the past decade are affected, and the Intel SGX hardware security feature is also impacted, according to the researcher.
Google researchers recently also disclosed Zenbleed, an AMD Zen 2 processor vulnerability that can allow an attacker to access sensitive information.
The same day Downfall was disclosed, researchers at ETH Zurich disclosed the details of Inception, an attack that leaks potentially sensitive data from anywhere in the memory of a device powered by an AMD Zen processor.
Update: Intel has provided the following statement to SecurityWeek:
“The security researcher, working within the controlled conditions of a research environment, demonstrated the GDS issue which relies on software using Gather instructions. While this attack would be very complex to pull off outside of such controlled conditions, affected platforms have an available mitigation via a microcode update. Recent Intel processors, including Alder Lake, Raptor Lake and Sapphire Rapids, are not affected. Many customers, after reviewing Intel’s risk assessment guidance, may determine to disable the mitigation via switches made available through Windows and Linux operating systems as well as VMMs.In public cloud environments, customers should check with their provider on the feasibility of these switches.”