Say hello to Downfall, another data-leaking security hole in several years of Intel chips

Black Hat Googlers have lately found not one but two more security vulnerabilities in Intel and AMD processors that can be exploited to steal sensitive data from a vulnerable computer's memory.

Specifically, there's one flaw in Intel components, and one in AMD. Both can be abused by malware running on a system, or a rogue logged-in user, to lift passwords, secrets, and other data out of memory that should be off limits. This should be concerning for those who use shared servers in the cloud.

The Intel vulnerability, found by Daniel Moghimi and dubbed Downfall, was addressed on Tuesday, nearly a year after its private disclosure.

The AMD vulnerability, found by Tavis Ormandy and named Zenbleed, was patched, to a degree, in July after being reported privately in mid-May, as we previously covered.

"Downfall (CVE-2022-40982) and Zenbleed (CVE-2023-20593) are two different vulnerabilities affecting CPUs – Intel Core (6th - 11th generation) and AMD Zen 2, respectively," said Moghimi and Ormandy in a summary of both holes issued yesterday.

"They allow an attacker to violate the software-hardware boundary established in modern processors."

The sixth generation of Intel Core processors launched in 2015; AMD's Zen 2 launched in 2019. So that's a lot of chips.

For those who recall the Spectre and Meltdown attacks disclosed in early 2018 that obtain sensitive data from memory, and the subsequent variations such as Foreshadow and LVI, Downfall and Zenbleed will feel quite familiar.

Both are enabled by speculative execution, a CPU technique for executing instructions on a single execution thread in parallel. Executing instructions that may or may not be needed in advance can make code run faster if those instructions are needed. But doing so, as the computing industry has been reminded in recent years, opens the door to potential abuse.

"When an instruction depends on prior unresolved operations, the CPU speculatively executes it based on some prediction," explained Moghimi, in his paper on Downfall [PDF]. "When, hopefully rarely, the prediction is incorrect, the CPU flushes incorrect executions and re-executes them to get correct results. Speculative execution is architecturally invisible to the software, but its side effects can be observed."

Downfall and Zenbleed allow the observation of data that should not be visible, such as cryptographic keys, runtime data, and arbitrary data.

Moghimi, in his paper, recounts the history of these transient execution attacks that leak data across boundaries intended to safeguard the kernel, processes, and virtual machines, and trusted execution environments.

Addressing these initial attacks, explains Moghimi, required upgrading to new hardware that applied fixes in silicon, or potentially-performance-hindering software workarounds like kernel page table isolation (KPTI), purging private data across context switching, and disabling simultaneous multithreading.

To avoid the performance hit of software mitigations, Intel tried to address transient execution vulnerabilities with hardware fixes for Meltdown and Foreshadow in its 9th-generation CPUs and for MDS and LVI in its 10th-generation Cascade Lake CPUs.

However, Downfall shows there's work yet to be done.

• Google emits data-leaking proof-of-concept Spectre exploit for Intel CPUs to really get everyone's attention
• Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years
• We translated Intel's crap attempt to spin its way out of CPU security bug PR nightmare
• Hidden Linux kernel security fixes spotted before release – by using developer chatter as a side channel

Downfall, the two Google researchers say, "exploits the speculative forwarding of data from the SIMD Gather instruction." SMID stands for "single instruction, multiple data" and refers to a type of parallel processing.

"The Gather instruction helps the software access scattered data in memory quickly, which is crucial for high-performance computing workloads performing data encoding and processing," explained Moghimi and Ormandy. "Downfall shows that this instruction forwards stale data from the internal physical hardware registers to succeeding instructions."

Accessing this data involves a process similar to the exploitation of Meltdown. The technique involves: issuing instructions to make it more likely that transiently-forwarded data will be visible; executing the gather instruction; encoding a 32-bit unsigned integer (dword) so as to reveal up to 4 bytes of transient data; and scanning the cache using the Flush+Reload technique, which removes and reloads data from a shared cache to determine data related to the targeted user.

Downfall also affects Intel SGX, the chipmaker's hardware-based memory protection scheme. There's proof-of-concept code available for those inclined to test it.

Intel's fix, according to Moghimi and Ormandy, imposes a performance hit ranging from zero to 50 percent, depending on the workload.

The x86 giant, meanwhile, sought to downplay the security weakness, saying the Googlers exploited the shortcoming “within the controlled conditions of a research environment."

In public cloud environments, customers should check with their provider

"While this attack would be very complex to pull off outside of such controlled conditions, affected platforms have an available mitigation via a microcode update," an Intel spokesperson told us today.

"Recent Intel processors, including Alder Lake, Raptor Lake, and Sapphire Rapids, are not affected. Many customers, after reviewing Intel's risk assessment guidance, may determine to disable the mitigation via switches made available through Windows and Linux operating systems as well as VMMs.

"In public cloud environments, customers should check with their provider on the feasibility of these switches.”

Moghimi is set to talk about Downfall at the Black Hat conference in Las Vegas today, and the USENIX Security Symposium on August 11.

AMD not left out

Zenbleed, the researchers say, demonstrates that the improper implementation of speculative execution of the SIMD vzeroupper instruction – which zeros the upper bits of vector registers – leaks stale data from physical hardware registers to software registers

"Vzeroupper instructions should clear the data in the upper-half of SIMD registers (e.g., 256-bit register YMM) which on Zen 2 processors is done by just setting a flag that marks the upper half of the register as zero," they explained.

"However, if on the same cycle as a register to register move the vzeroupper instruction is mis-speculated, the zero flag doesn’t get rolled back properly, leading to the upper-half of the YMM register to hold stale data rather than the value of zero."

As with Downfall, the consequence of Zenbleed is that sensitive data can be exposed. But where Intel's fix has performance implications, AMD's Zenbleed patch does not affects performance in a meaningful way.

According to Moghimi, Intel's server compute market share of more than 70 percent means that everyone on the internet could be affected by Downfall.

While there's a theoretical possibility Downfall could be executed remotely using a browser (given further research), both attacks assume the attacker and victim are running on the same CPU core – as might occur among cloud tenants sharing hardware.

Folks are encouraged to patch their systems as soon as possible for Zenbleed and Downfall, especially shared ones, and consult their cloud providers to ensure updates are applied to hosts. We note that AMD is still in the process of issuing firmware-level updates to address Zenbleed in its silicon. Some fixes are out already, some slated for later this year.

Moghimi and Ormandy say that these vulnerabilities, which have existed for years, underscore the need for fundamental changes in the way secure hardware is designed, better automated hardware testing, and better awareness of the potential risks introduced by performance optimizations. ®