Downfall Vulnerability Exposes Intel CPUs to Data and Encryption Keys Stealing

Downfall vulnerability impacts various Intel microprocessors and enables encryption keys, passwords, and other sensitive data exfiltration. The flaw was dubbed CVE-2022-40982 and was reported to Intel by security researcher Daniel Moghimi.

The researcher provided a proof-of-concept that leverages the Gather instruction in two ways.

Intel released patches for the Downfall vulnerability that impacts recently sold microprocessors and also older ones, produced even as far as 2014. However, the flaw does not affect Intel’s newest processors.

Details on the Exfiltration Methods

The Gather instruction is a memory optimization feature that helps access scattered data in memory faster. Moghimi discovered two ways to exploit the vulnerability:

• Gather Data Sampling (GDS), a method that enabled the user to exfiltrate AES 128-bit and 256-bit cryptographic keys on a separate virtual machine (VM).
• Gather Value Injection (GVI), a technique that combines GDS with the Load Value Injection (LVI) technique that was revealed in 2020.

Threat actors that are on the same physical processor core could leverage the Downfall flaw to exfiltrate:

• passwords,
• encryption keys,
• emails and messages,
• banking info.

Which Intel Products Are at Risk?

According to BleepingComputer, the vulnerability does not work on Alder Lake, Raptor Lake, and Sapphire Rapids. The three vulnerable families of processors are:

• Skylake, with Skylake, Cascade Lake, Cooper Lake, Amber Lake, Kaby Lake, Coffee Lake, Whiskey Lake, and Comet Lake.
• Tiger Lake
• Ice Lake, with Ice Lake, and Rocket Lake

General Impact and Mitigation Measures

Daniel Moghini notified Intel about his discovery on August 24th, 2022, and collaborated with them to help prevent further risk. The researcher claims that users were exposed to the Downfall flaw for more than nine years, as the impacted processors were available to the public starting in 2014.

While Intel advises users to update devices to the latest version, Moghini also had four recommendations:

• Disable simultaneous multithreading (SMT). The measure partially mitigates GDS and GVI attacks. However, the user will observe a 30% loss in performance.
• Deny affected instructions through the OS and the compiler to avoid them leaking sensitive data to Gather. Some apps could work poorly because of this.
• Disable Gather and mind the fact that software using it will work slower or crash.
• Prevent transient data forwarding once Gather can mitigate Downfall.

The Downfall vulnerability impacts billions of users worldwide. Since the proof-of-concept code is already available on GitHub, patching endpoints in a timely manner is strongly recommended.

Due to the large volume of impacted devices, automated patch management solutions help security admins save precious time and resources. Get a free demo of Heimdal`s automated patch management tool to evaluate the benefits.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Install and Patch Software. Close Vulnerabilities. Achieve Compliance.

Heimdal® Patch & Asset Management

Remotely and automatically install Windows, Linux and 3rd party patches and manage your software inventory.

• Create policies that meet your exact needs;
• Full compliance and CVE/CVSS audit trail;
• Gain extensive vulnerability intelligence;
• And much more than we can fit in here...

Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.