‘Kernel memory leaking’ Intel processor design flaw

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

A fundamental design flaw in Intel’s processor chips related to virtual memory system (Intel x86-64 hardware) allows normal user programs (even JavaScript in web browsers) to discern to some extent the layout or contents of protected kernel memory areas.

It is understood the bug is present in modern Intel processors produced in the past decade. It appears a microcode update can’t address it, so it has to be fixed in software at the OS level. This has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug, which is expected to cause 5 to 30 per cent slow down of your computer on next update!

Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday. Patches for the Linux kernel are available. Apple’s 64-bit macOS, will also need to be updated.

This is bad news for Intel. Last year they had AMT vulnerability remote exploit and now this new blow in Intel security. I don’t think that computer buyers like that their computers become slower! 

Details of the vulnerability within Intel’s silicon are under wraps and are expected to be released later this month – so follow the comments for updates.

565 Comments

  1. Tomi Engdahl says:

    Lily Hay Newman / Wired:
    Intel fixes a flaw found by a Google researcher that could let attackers steal passwords and other secrets, affecting Skylake, Tiger Lake, and Ice Lake chips — The vulnerability could allow attackers to take advantage of an information leak to steal sensitive details like private messages, passwords, and encryption keys.

    New ‘Downfall’ Flaw Exposes Valuable Data in Generations of Intel Chips
    https://www.wired.com/story/downfall-flaw-intel-chips/

    The vulnerability could allow attackers to take advantage of an information leak to steal sensitive details like private messages, passwords, and encryption keys.

    Intel is releasing fixes for a processor vulnerability that affects many models of its chips going back to 2015, including some that are currently sold, the company revealed today. The flaw does not impact Intel’s latest processor generations. The vulnerability could be exploited to circumvent barriers meant to keep data isolated, and therefore private, on a system. This could allow attackers to grab valuable and sensitive data from victims, including financial details, emails, and messages, but also passwords and encryption keys.

    It’s been more than five years since the Spectre and Meltdown processor vulnerabilities sparked a wave of revisions to computer chip designs across the industry. The flaws represented specific bugs but also conceptual data protection vulnerabilities in the schemes chips were using to make data available for processing more quickly and speed that processing. Intel has invested heavily in the years since these so-called speculative execution issues surfaced to identify similar types of design issues that could be leaking data. But the need for speed remains a business imperative, and both researchers and chip companies still find flaws in efficiency measures.

    This latest vulnerability, dubbed Downfall by Daniel Moghimi, the Google researcher who discovered it, occurs in chip code that can use an instruction known as Gather to access scattered data more quickly in memory. Intel refers to the flaw as Gather Data Sampling after one of the techniques Moghimi developed to exploit the vulnerability. Moghimi will present his findings at the Black Hat security conference in Las Vegas on Wednesday.

    “Memory operations to access data that is scattered in memory are very useful and make things faster, but whenever things are faster there’s some type of optimization—something the designers do to make it faster,” Moghimi says. “Based on my past experience working on these types of vulnerabilities, I had an intuition that there could be some kind of information leak with this instruction.”

    The vulnerability affects the Skylake chip family, which Intel produced from 2015 to 2019; the Tiger Lake family, which debuted in 2020 and will discontinue early next year; and the Ice Lake family, which debuted in 2019 and was largely discontinued in 2021. Intel’s current generation chips—including those in the Alder Lake, Raptor Lake, and Sapphire Rapids families—are not affected, because attempts to exploit the vulnerability would be blocked by defenses Intel has added recently.

    The fixes are being released with an option to disable them because of the potential that they could have an intolerable impact on performance for certain enterprise users. “For most workloads, Intel has not observed reduced performance due to this mitigation. However, certain vectorization-heavy workloads may see some impact,” Intel said in a statement.

    Releasing fixes for vulnerabilities like Downfall is always complicated, because in most cases, they must funnel through each manufacturer who makes devices that incorporate the affected chips, before actually reaching computers. These device-makers take code provided by Intel and create tailored patches that can then be downloaded by users. After years of releasing fixes in this complex ecosystem, Intel is practiced at coordinating the process, but it still takes time. Moghimi first disclosed Downfall to Intel a year ago.

    Moghimi also notes that it is difficult to detect Downfall attacks, because they mostly manifest as benign software activity. He adds, though, that it might be possible to develop a detection system that monitors hardware behavior for signs of abuse like unusual cache activity.

    Intel says that it would be “complex” and difficult to carry out Downfall attacks in real-world conditions, but Moghimi emphasizes that it took him only a few weeks to develop proofs of concept for the attack. And he says that relative to other speculative execution vulnerabilities and related bugs, Downfall would be one of the more doable flaws for a motivated and well-resourced attacker to exploit.

    “This vulnerability enables an attacker to essentially spy on other processes and steal data by analyzing the data leak over time for a combination of patterns that indicates the information the attacker is looking for, like login credentials or encryption keys,” Moghimi says. He adds that it would likely take time, on the scale of hours or even weeks, for an attacker to develop the pattern or fingerprint of the data they’re looking for, but the payoff would be significant.

    Reply
  2. Tomi Engdahl says:

    Nearly All Modern CPUs Leak Data to New Collide+Power Side-Channel Attack
    https://www.securityweek.com/nearly-all-modern-cpus-leak-data-to-new-collidepower-side-channel-attack/

    A new power side-channel attack named Collide+Power can allow an attacker to obtain sensitive information and it works against nearly any modern CPU.

    A new side-channel attack method that can lead to data leakage works against nearly any modern CPU, but we’re unlikely to see it being used in the wild any time soon.

    The research was conducted by a group of eight researchers representing the Graz University of Technology in Austria and the CISPA Helmholtz Center for Information Security in Germany. Some of the experts involved in the research discovered the notorious Spectre and Meltdown vulnerabilities, as well as several other side-channel attack methods.

    The new attack, dubbed Collide+Power, has been compared to Meltdown and a type of vulnerability named Microarchitectural Data Sampling (MDS).

    Collide+Power is a generic software-based attack that works against devices powered by Intel, AMD or Arm processors and it’s applicable to any application and any type of data. The chipmakers are publishing their own advisories for the attack and the CVE-2023-20583 has been assigned.

    However, the researchers pointed out that Collide+Power is not an actual processor vulnerability — it abuses the fact that some CPU components are designed to share data from different security domains.

    An attacker can leverage such shared CPU components to combine their own data with data from user applications. The attacker measures CPU power consumption over thousands of iterations while changing the data they control, which enables them to determine the data associated with the user applications.

    An unprivileged attacker — for instance, by using malware planted on the targeted device — can leverage the Collide+Power attack to obtain valuable data such as passwords or encryption keys.

    The researchers noted that the Collide+Power attack enhances other power side-channel signals, such as the ones used in the PLATYPUS and Hertzbleed attacks.

    The researchers have published a paper detailing their work, as well as a dedicated Collide+Power website that summarizes the findings.

    https://collidepower.com/

    Reply
  3. Tomi Engdahl says:

    Downfall: New Intel CPU Attack Exposing Sensitive Information
    https://www.securityweek.com/downfall-new-intel-cpu-attack-exposing-sensitive-information/

    Google researcher discloses the details of an Intel CPU attack method named Downfall that may be remotely exploitable.

    The details of a new side-channel attack targeting Intel processors were disclosed on Tuesday.

    The attack, discovered by a researcher at Google and named Downfall, leverages a vulnerability tracked as CVE-2022-40982.

    Similar to other CPU attack methods, Downfall can be exploited by a local attacker or a piece of malware to obtain sensitive information, such as passwords and encryption keys, belonging to the targeted device’s users.

    This transient execution attack also works against cloud environments, allowing an attacker to steal data from other users on the same cloud computer.

    “The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not be normally be accessible,” explained

    Moghimi, who reported his findings to Intel one year ago, said the GDS method is “highly practical” — he has created a proof-of-concept (PoC) exploit that can steal encryption keys from OpenSSL.

    Remote attacks conducted via a web browser are theoretically also possible, but additional research is needed to demonstrate such an attack.

    Intel published a security advisory on Tuesday to inform customers about CVE-2022-40982, which it has rated ‘medium severity’.

    “Intel is releasing firmware updates and an optional software sequence to mitigate this potential vulnerability,” the chipmaker said.

    Intel Xeon and Core processors released over the past decade are affected, and the Intel SGX hardware security feature is also impacted, according to the researcher.

    The same day Downfall was disclosed, researchers at ETH Zurich disclosed the details of Inception, an attack that leaks potentially sensitive data from anywhere in the memory of a device powered by an AMD Zen processor.

    Reply
  4. Tomi Engdahl says:

    Endpoint Security
    New ‘Inception’ Side-Channel Attack Targets AMD Processors
    https://www.securityweek.com/new-inception-side-channel-attack-targets-amd-processors/

    Researchers have disclosed the details of a new side-channel attack targeting AMD CPUs named Inception.

    Researchers on Tuesday disclosed the details of a new CPU side-channel attack named Inception that impacts AMD processors.

    The Inception attack method was discovered by a team of researchers from the ETH Zurich university in Switzerland. It allows a local attacker to leak potentially sensitive data, such as passwords or encryption keys, from anywhere in the memory of a computer powered by an AMD Zen processor.

    Inception is a transient execution attack that leverages a method named Training in Transient Execution (TTE) and an attack dubbed Phantom Speculation (CVE-2022-23825).

    “As in the movie of the same name, Inception plants an ‘idea’ in the CPU while it is in a sense ‘dreaming’, to make it take wrong actions based on supposedly self conceived experiences. Using this approach, Inception hijacks the transient control-flow of return instructions on all AMD Zen CPUs,” the researchers explained.

    They have published separate papers detailing the Inception and Phantom attacks. For Inception, they have also made available proof-of-concept (PoC) source code and a video showing the exploit in action.

    Inception: how a simple XOR can cause a Microarchitectural Stack Overflow
    https://comsec.ethz.ch/research/microarch/inception/

    Over the past one and a half years, we have studied two phenomena that enable an unprivileged attacker to leak arbitrary information on all modern AMD CPUs:

    Phantom speculation: We can trigger misprediction without any branch at the source of the misprediction.
    Training in Transient Execution: We can manipulate future mispredictions through a previous misprediction that we trigger.

    Putting the two together gives rise to a new type of attack called Inception: we can inject future mispredictions through a previous misprediction that we trigger — in the absence of branches. You can see a demo of Inception and find more information about the issues below:

    Inception (CVE-2023-20569) is a novel transient execution attack that leaks arbitrary data on all AMD Zen CPUs in the presence of all previously deployed software- and hardware mitigations. As in the movie of the same name, Inception plants an “idea” in the CPU while it is in a sense “dreaming”, to make it take wrong actions based on supposedly self conceived experiences. Using this approach, Inception hijacks the transient control-flow of return instructions on all AMD Zen CPUs.

    https://www.cve.org/CVERecord?id=CVE-2023-20569

    https://comsec.ethz.ch/research/microarch/inception/
    https://github.com/comsec-group/inception

    INCEPTION: Exposing New Attack Surfaces with Training in Transient Execution
    https://comsec.ethz.ch/wp-content/files/inception_sec23.pdf

    Phantom: Exploiting Decoder-detectable Mispredictions
    https://comsec.ethz.ch/wp-content/files/phantom_micro23.pdf

    AMD has published an advisory confirming that an Inception attack can lead to information disclosure.

    Return Address Security Bulletin
    https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html

    Bulletin ID: AMD-SB-7005
    Potential Impact: Data Confidentiality
    Severity: Medium

    AMD has received an external report titled ‘INCEPTION’, describing a new speculative side channel attack. The attack can result in speculative execution at an attacker-controlled address, potentially leading to information disclosure. This attack is similar to previous branch prediction-based attacks like Spectrev2 and Branch Type Confusion (BTC)/RetBleed. As with similar attacks, speculation is constrained within the current address space and to exploit, an attacker must have knowledge of the address space and control of sufficient registers at the time of RET (return from procedure) speculation. Hence, AMD believes this vulnerability is only potentially exploitable locally, such as via downloaded malware, and recommends customers employ security best practices, including running up-to-date software and malware detection tools.

    AMD is not aware of any exploit of ‘Inception’ outside the research environment at this time.

    CVE Details

    CVE-2023-20569

    A side channel vulnerability in some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled instruction pointer register, potentially leading to information disclosure.
    Mitigation

    AMD recommends customers apply either the standalone µcode patch or a BIOS update that incorporates the µcode patch, as applicable, for products based on “Zen 3” and “Zen 4” CPU architectures. AMD plans to release updated AGESA™ versions to Original Equipment Manufacturers (OEM), Original Design Manufacturers (ODM) and motherboard manufacturers (MB) on the target dates listed below. Please refer to your OEM, ODM, or MB for a BIOS update specific to your product, which will follow after the dates listed below, as applicable.

    AMD recommends customers apply either the standalone µcode patch or a BIOS update that incorporates the µcode patch, as applicable, for products based on “Zen 3” and “Zen 4” CPU architectures. AMD plans to release updated AGESA™ versions to Original Equipment Manufacturers (OEM), Original Design Manufacturers (ODM) and motherboard manufacturers (MB) on the target dates listed below. Please refer to your OEM, ODM, or MB for a BIOS update specific to your product, which will follow after the dates listed below, as applicable. No µcode patch or BIOS update, which includes the µcode patch, is necessary for products based on “Zen” or “Zen 2” CPU architectures because these architectures are already designed to flush branch type predictions from the branch predictor.

    Operating system (OS) configuration options may also be available to help mitigate certain aspects of this vulnerability. AMD recommends users evaluate their risk environment (including the risk of running untrusted local code) when deciding on OS mitigation options and refer to OS-specific documentation for guidance. “Zen 3” and “Zen 4” based systems will require the µcode patch, which is incorporated in the BIOS update, prior to enabling OS configuration options.

    Reply
  5. Tomi Engdahl says:

    Nearly every AMD CPU since 2017 vulnerable to Inception data-leak attacks https://www.theregister.com/2023/08/09/amd_inception/

    AMD processor users, you have another data-leaking vulnerability to deal with:
    like Zenbleed, this latest hole can be to steal sensitive data from a running vulnerable machine.

    The flaw (CVE-2023-20569), dubbed Inception in reference to the Christopher Nolan flick about manipulating a person’s dreams to achieve a desired outcome in the real world, was disclosed by ETH Zurich academics this week.

    Reply
  6. Tomi Engdahl says:

    Intel Releases a Patch for ‘Downfall’ Vulnerability Affecting Billions of CPUs
    There are no free lunches, though, so the fix for this bug comes with a performance penalty.
    https://www.extremetech.com/internet/intel-releases-a-patch-for-downfall-vulnerability-affecting-billions-of

    Intel has released a patch to plug a gaping hole in the security of older CPUs—specifically, those made from 2015 to 2019, aka Skylake to Tiger Lake. The vulnerability allowed a person sharing a computer with another person to steal “high-value credentials” such as passwords and encryption keys. Though most of us don’t usually share a computer with another person, it’s a standard scenario in cloud computing, with many clients accessing the same hardware simultaneously. Unfortunately, Intel’s fix comes with a performance penalty.

    The vulnerability affecting billions of Intel CPUs was discovered by Daniel Moghimi, who is a Senior Research Scientist at Google. According to the site Mr. Moghimi made for the bug, the vulnerability essentially allows sensitive data to move between two users sharing the same physical CPU cores, a common scenario in a cloud computing environment. It’s due to a memory optimization feature in older Intel CPUs whereby internal hardware registers are inadvertently exposed to software, allowing a malicious actor to steal sensitive information from whoever is sharing the computer’s resources. Intel states in its security bulletin that it’s not aware of this attack being used outside of a “controlled lab environment.”

    Reply
  7. Tomi Engdahl says:

    Linux Creator Expresses “Frustration” Towards AMD’s fTPM Bugs, Calls To Disable Feature
    https://wccftech.com/linux-creator-expresses-frustration-towards-amds-ftpm-bugs-calls-to-disable-feature/

    AMD’s fTPM issues are well-known in the industry, often causing system crashes and freezing. Linux’s creator Linus Torvalds has expressed his disappointment towards the feature, labeling it a “plague” for the kernel.

    AMD’s fTPM Issues Have A Long History, Emerging With The Release of Windows 11

    For a quick recap, Trusted Platform Module or TPM is a security check which has been made a necessity to be enabled for the latest version of Windows 11. While the intention behind this move is for the consumer’s benefit, the feature brought several problems. The main problems that fTPM brought were random stuttering and lagging. Moreover, several users also experienced jittering and disruptions while gaming. While the problem did occur in the Intel platform, most of the issues were on AMD, which still persist today.

    Reply
  8. Tomi Engdahl says:

    Fed-up Torvalds suggests disabling AMD’s ‘stupid’ performance-killing fTPM RNG
    Some Ryzen Linux machines still stumble along despite efforts to fix it all
    https://www.theregister.com/2023/07/31/linus_torvalds_ftpm/

    Reply
  9. Tomi Engdahl says:

    Gather Data Sampling / CVE-2022-40982 / INTEL-SA-00828
    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/gather-data-sampling.html
    Key Takeaways
    • Intel is providing a microcode update to mitigate GDS. No software changes are required to enable the mitigation.
    • Users should carefully consider the threat model applicable to their systems when deciding whether and where to mitigate GDS.
    • Intel is not aware of any instance of any of this vulnerability being exploited outside a controlled lab environment.
    • Operating system vendors (OSVs) provide options to opt out of the GDS mitigation.

    Gather Data Sampling (GDS) is a transient execution side channel vulnerability affecting certain Intel processors. In some situations when a gather instruction performs certain loads from memory, it may be possible for a malicious attacker to use this type of instruction to infer stale data from previously used vector registers. Similar to data sampling transient execution attacks like Microarchitectural Data Sampling (MDS), GDS may allow a malicious actor who can locally execute code on a system to infer the values of secret data which is otherwise protected by architectural mechanisms. GDS differs from the MDS vulnerabilities in both the method of exposure (which is limited to the set of gather instructions), and in the data exposed (stale vector register data only). Neither MDS nor GDS, by themselves, provide malicious actors the ability to choose which data is inferred using these methods.
    GDS is assigned CVE-2022-40982 CVSS Base Score 6.5 Medium CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N.
    Intel is providing a microcode update to mitigate GDS. No software changes are required to enable the mitigation. System administrators, application developers, and users should carefully consider the threat model applicable to their systems when deciding whether and where to mitigate GDS. Based on the environmental threat model, users may disable the GDS mitigation with options provided by operating system vendors (OSVs).
    Intel is not aware of any instance of any of this vulnerability being exploited outside a controlled lab environment.
    Malicious software may be able to infer data previously stored in vector registers used by either the same thread, or the sibling thread on the same physical core. These registers may have been used by other security domains such as other virtual machine (VM) guests, the operating system (OS) kernel, or Intel® Software Guard Extensions (Intel® SGX) enclaves. Note that no processors that support Intel® Trust Domain Extension (Intel® TDX) are affected by GDS.
    Mitigation
    Intel is releasing a microcode update which blocks transient results of gather instructions to prevent attacker code from observing speculative results of gather loads. The mitigation is enabled by default when the patch is loaded, and cross-thread exposure is mitigated even with hyperthreading enabled. The microcode update provides an MSR interface that allows software to opt-out of the mitigation.
    On processors affected by GDS, if Intel SGX is enabled and hyperthreading is disabled, loading the updated microcode will mitigate any potential direct attacks using GDS against Intel SGX enclaves. If Intel SGX is not enabled or if hyperthreading is enabled, the mitigation will not be locked, and system software can choose to enable or disable the GDS mitigation. There will be an Intel SGX TCB Recovery for those Intel SGX-capable affected processors.
    No processors that support Intel TDX are affected by GDS.
    Refer to the 2022-2023 tab of the consolidated Affected Processors table: Gather Data Sampling column.
    Affected Processors: Guidance for Security Issues on Intel® Processors
    This table shows the impact of transient execution attacks (formerly speculative execution side channel methods) and select security issues on currently supported Intel products, disclosed in 2018-2021, including recommended mitigation where affected.
    https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

    Reply
  10. Tomi Engdahl says:

    Companies Respond to ‘Downfall’ Intel CPU Vulnerability https://www.securityweek.com/companies-respond-to-downfall-intel-cpu-vulnerability/

    Several major companies have published advisories in response to the Downfall vulnerability affecting Intel CPUs.

    Related for AMD: *Zenbleed: new hardware vulnerability in AMD CPUs* https://www.kaspersky.com/blog/zenbleed-vulnerability/48836/

    Reply
  11. Tomi Engdahl says:

    https://www.securityweek.com/companies-respond-to-downfall-intel-cpu-vulnerability/
    The OpenSSL Project published a blog post this week pointing out that while the Downfall attack has been demonstrated against OpenSSL, it’s “highly general microarchitectural side-channel attack which can compromise the security of essentially any software”.
    “Because OpenSSL provides accelerated implementations of many cryptographic primitives using x86 SIMD instructions, if an attacker executes an attack using this vulnerability on a process performing cryptographic operations using OpenSSL, there is an elevated risk that the information they are able to extract will include cryptographic key material or plaintexts, as this material is likely to have been recently processed in the victim process using SIMD instructions. In other words, the risk to key material or other cryptographic material is particularly high,” the OpenSSL Project explained.
    OpenSSL Statement on the Recent Intel/AMD Downfall/Inception Vulnerabilities
    https://www.openssl.org/blog/blog/2023/08/15/downfall/
    What this attack enables
    If an attacker can obtain local (but unprivileged) execution on a machine with an affected CPU, and they are able to schedule that process on the same physical core as another process, and they are able to execute AVX instructions, you should assume they are able to obtain read access to any information stored within that process’s memory.
    It should be stressed that this attack is entirely dependent on an adversary being able to execute code on the same physical system as a victim process; therefore, systems which only execute code installed by trusted parties are not at risk. However, virtual machines (in the absence of the mitigations advised below) are not an effective protection.
    The requirement for executing on the same physical core as a victim process can be met either by OS context switching or via hyperthreading.
    Because OpenSSL provides accelerated implementations of many cryptographic primitives using x86 SIMD instructions, if an attacker executes an attack using this vulnerability on a process performing cryptographic operations using OpenSSL, there is an elevated risk that the information they are able to extract will include cryptographic key material or plaintexts, as this material is likely to have been recently processed in the victim process using SIMD instructions. In other words, the risk to key material or other cryptographic material is particularly high.
    However, this does not mean that other information stored in a process is not vulnerable to compromise and we would recommend that users assume that all information stored in a vulnerable process is accessible to an attacker. While there are potentially limitations to the exploitation techniques published, the qualifiers to any such limitations are sufficiently complex to be unable to make assurances in any particular area.
    Recommended mitigation
    The following mitigations are available:
    • Intel have released microcode updates for affected CPUs and the best course of action to mitigate these vulnerabilities is to deploy these microcode updates as soon as possible.
    • In the absence of the ability to deploy these microcode updates, an alternative mitigation is to disable the ability to use AVX instructions in any untrusted process. This will generally require an OS update; for example, a mitigation patch is now available for the Linux kernel which allows this to be configured. Disabling AVX may break applications which have been designed or compiled under the assumption that AVX is available.
    It should be emphasised that a victim process does not need to execute AVX instructions to be affected. Exploitation can only be mitigated by preventing an attacker process from executing AVX instructions.
    The immediate indicated mitigation action is to install the microcode updates providing mitigation for this vulnerability provided by Intel, or system firmware updates incorporating those microcode updates provided by your system vendor. Further information on how to deploy these microcode updates is available below.
    The disabling of AVX should be seen as a fallback mitigation where it is not feasible to deploy these microcode or system firmware updates.
    The following are not effective mitigations:
    • A victim process cannot render itself immune to exploitation by refraining from use of AVX instructions, or all SIMD instructions. While the Downfall vulnerability targets code which makes use of 128-bit or wider data accesses, this includes the standard x86 XSAVE instruction which OS kernels use to save and restore process context. Therefore, even if an application recompiled itself to avoid any use of any SIMD instruction whatsoever, the contents of its registers would be exposed to an attacker whenever a context switch occurs.
    It may be possible to provide mitigation by scheduling untrusted processes on separate physical cores to trusted processes, however we would not recommend trying to adopt this as a mitigation strategy, as it requires users to accurately classify trusted and untrusted processes, and to correctly configure process scheduling affinity.
    https://kernel.org/doc/html/next/admin-guide/hw-vuln/gather_data_sampling.html

    Reply
  12. Tomi Engdahl says:

    https://www.securityweek.com/companies-respond-to-downfall-intel-cpu-vulnerability/
    AWS, Microsoft Azure, Google Cloud
    AWS said its customers’ data and cloud instances are not affected by Downfall and no action is required. The cloud giant did note that it has “designed and implemented its infrastructure with protections against this class of issues”.
    Microsoft said it rolled out updates to its Azure infrastructure to patch the vulnerability. In most cases — except customers that have opted out of automatic updates — users do not need to take any action.
    Google Cloud also said no customer action is required. The company has applied available patches on its server fleet. However, some products require additional updates from its partners or vendors.
    Dell
    Dell has released BIOS patches for Alienware, ChengMing, G series, Precision, Inspiron, Latitude, OptiPlex, Vostro, and XPS computers.
    HP
    HP has started releasing SoftPaqs that address Downfall for its business and consumer PCs, workstations, and retail PoS systems.
    VMware
    VMware informed customers that hypervisors may be affected by CVE-2022-40982 if they are using an impacted Intel CPU, but hypervisor patches are not needed to address the vulnerability. Instead, impacted customers need to obtain firmware updates from their hardware vendors.
    Linux distributions
    Several Linux distributions have released advisories, patches and mitigations for systems using Intel processors. The list includes SUSE, CloudLinux, RedHat, Ubuntu and Debian.

    Reply
  13. Tomi Engdahl says:

    Zenbleed: new hardware vulnerability in AMD CPUs
    Explaining an issue in popular PC and server CPUs in simple terms.
    https://www.kaspersky.com/blog/zenbleed-vulnerability/48836/
    Zenbleed exists thanks to the speculative execution system. The vulnerability is not easy to explain. In his blogpost, Tavis Ormandy presents cold facts that only an experienced low-level coding pro can get to the bottom of. In a nutshell, here is one of the instruction sets for Zenbleed exploitation:
    A GitHub description by the Google Information Security team sheds some light on the nature of the problem. For the past 15 years, Intel and AMD CPUs have been using the instruction extension set AVX. Among other things, these instructions support 128- and 256-bit vector registers. To put it really simple, CPU registers are used for temporary storage of data when executing instructions. In some cases, being able to store sufficiently large amounts of data in vector registers allows to considerably improve performance. The 128 bit (XMM) and 256 bit (YMM) registers are commonly used for the most routine operations, such as related to read/write from/to RAM.
    Concurrent use of 128 and 256 bit registers brings another set of problems. If used simultaneously within the same task, XMM registers are automatically converted into YMM registers. This is where the zeroing of the upper “half” of the YMM register is routinely performed. The special instruction for that is vzeroupper. All registers are stored in the so-called register file and are used in turns by different programs run on the computer.
    https://github.com/google/security-research/tree/master/pocs/cpus/zenbleed

    Reply
  14. Tomi Engdahl says:

    By Sayan Sen – Microsoft and Intel have cautioned about a recent security vulnerability affecting 7th Gen, 8th Gen, 9th Gen, 10th Gen, and 11th Gen chips. This security vulnerability is called Downfall or GDS. #Intel #Microsoft #Downfall

    https://www.neowin.net/news/gds-microsoft-intel-confirm-downfall-of-7th-8th-9th-10th-11th-gen-cpus-firmware-out/?fbclid=IwAR1pwmpyZ_-qtIDc7Z-aTa_wYtQhrk5-w92ITL3xpk2V9ia2jD5H7ZuryLQ

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*