Downfall, known as Gather Data Sampling (GDS) by Intel,[1] is a computer security vulnerability found in 6th through 11th generations of consumer and 1st through 4th generations of Xeon Intel x86-64 microprocessors.[2] It is a transient execution CPU vulnerability which relies on speculative execution of Advanced Vector Extensions (AVX) instructions to reveal the content of vector registers.[3][4]
CVE identifier(s) | CVE-2022-40982 |
---|---|
Affected hardware | 6-11th gen Intel Core CPUs |
Website | https://downfall.page/ |
Vulnerability
editIntel's Software Guard Extensions (SGX) security subsystem is also affected by this bug.[4]
The Downfall vulnerability was discovered by the security researcher Daniel Moghimi, who publicly released information about the vulnerability in August 2023, after a year-long embargo period.[5][6]
Intel promised microcode updates to resolve the vulnerability.[1] The microcode patches have been shown to significantly reduce the performance of some heavily-vectorized loads.[7]
Patches to mitigate the effects of the vulnerability have also been created as part of the forthcoming version 6.5 release of the Linux kernel.[8] They include code to disable the AVX extensions entirely on CPUs for which microcode mitigation is not available.[9]
Vendor responses
editReferences
edit- ^ a b "Gather Data Sampling / CVE-2022-40982 / INTEL-SA-00828". Intel. Retrieved 2023-08-08.
- ^ "Affected Processors: Transient Execution Attacks & Related Security..." Intel. Retrieved 2023-08-16.
- ^ Newman, Lily Hay. "New 'Downfall' Flaw Exposes Valuable Data in Generations of Intel Chips". Wired. ISSN 1059-1028. Retrieved 2023-08-08.
- ^ a b Ilascu, Ionut (2023-08-08). "New Downfall attacks on Intel CPUs steal encryption keys, data". BleepingComputer. Retrieved 2023-08-08.
- ^ Wright, Rob (2023-08-08). "Google unveils 'Downfall' attacks, vulnerability in Intel chips". Security. Retrieved 2023-08-08.
- ^ Larabel, Michael (2023-08-08). "Intel DOWNFALL: New Vulnerability Affecting AVX2/AVX-512 With Big Performance Implications". www.phoronix.com. Retrieved 2023-08-08.
- ^ Liu, Zhiye (2023-08-10). "Intel's Downfall Mitigations Drop Performance Up to 39%, Tests Show". Tom's Hardware. Retrieved 2023-08-11.
- ^ Larabel, Michael (2023-08-08). "Linux 6.5 Patches Merged For Intel GDS/DOWNFALL, AMD INCEPTION". www.phoronix.com. Retrieved 2023-08-09.
- ^ Corbet, Jonathan (August 8, 2023). "Another round of speculative-execution vulnerabilities". lwn.net. Retrieved 2023-08-11.
- ^ "CVE-2022-40982 - Gather Data Sampling - Downfall". Amazon Web Services, Inc. 2023-08-08.
- ^ "Citrix Hypervisor Security Bulletin for CVE-2023-20569, CVE-2023-34319 and CVE-2022-40982". support.citrix.com.
- ^ "DSA-2023-180: Security Update for Intel Product Update 2023.3 Advisories | Dell US". www.dell.com.
- ^ "CVE-2022-40982". security-tracker.debian.org.
- ^ "Security Bulletins | Customer Care". Google Cloud.
- ^ "Intel 2023.3 IPU – BIOS August 2023 Security Updates | HP® Customer Support".
- ^ "INTEL-SA-00828". Intel. 2023-08-08.
- ^ "Multi-vendor BIOS Security Vulnerabilities (August 2023) - Lenovo Support US". support.lenovo.com.
- ^ "KB5029778: How to manage the vulnerability associated with CVE-2022-40982 - Microsoft Support". support.microsoft.com. Retrieved 2023-09-06.
- ^ "QSB-093: Transient execution vulnerabilities in AMD and Intel CPUs (CVE-2023-20569/XSA-434, CVE-2022-40982/XSA-435)". Qubes OS Forum. August 9, 2023.
- ^ "cve-details". access.redhat.com.
- ^ "Intel Platform Update (IPU) Update 2023.3, August 2023 | Supermicro". www.supermicro.com.
- ^ "CVE-2022-40982". Ubuntu.
- ^ "VMware Response to Gather Data Sampling (GDS) - Transient Execution Side-channel vulnerability impacting Intel processors (CVE-2022-40982)". 8 August 2023.
- ^ "oss-sec: Xen Security Advisory 435 v1 (CVE-2022-40982) - x86/Intel: Gather Data Sampling". seclists.org.