On August 8, 2023, Intel published a new security vulnerability that exploits Gather Data Sampling (GDS). Named Downfall by its discoverer, it impacts multiple generations of Intel processors used in both personal and cloud computers. Downfall is a transient execution side-channel vulnerability that targets a critical weakness found in many modern Intel processor models.
Following the publication of the new vulnerability affecting a subsection of our cloud infrastructure, we began to evaluate and implement the microcode update to mitigate the vulnerability.
No actions are required from customers.
Vulnerability
This vulnerability, identified as CVE-2022-40982 with a CVSS Base Score of 6.5 Medium, allows malicious software to possibly infer data previously stored in vector registers used by either the same thread or the sibling thread on the same physical CPU core. In cloud infrastructure, an exploiter could use the Downfall vulnerability to steal data and credentials from other customers who share the same compute host.
Similar to data sampling transient execution attacks like Microarchitectural Data Sampling (MDS), the Downfall vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software.
These registers may have been used by other security domains such as other Cloud Servers, the operating system kernel, or Intel Software Guard Extensions (Intel SGX) enclaves. This allows untrusted software to access data stored by other programs, which should not normally be accessible.
Mitigation
Downfall defeats fundamental security boundaries in most Intel-based systems and is effectively a successor to previous data-leaking vulnerabilities in Intel CPUs including Meltdown and Fallout (AKA MDS). Mitigations applied to the previous vulnerabilities are ineffective against Downfall.
Accompanied by the release, Intel has provided a microcode update to mitigate GDS, and no software changes are required to enable the mitigation. We have applied the updates across our cloud infrastructure without interruptions or action required from our customers.
Intel has acknowledged that their microcode mitigation for Downfall has the potential to impact performance where gather instructions are used in performance-critical applications. Performance impact might be most visible in certain single-thread/CPU tasks that explicitly use the AVX512 instructions – mostly with cryptographic operations like video encoding/transcoding. Intel has not relayed any estimated performance impact claims from this mitigation.
As always, we highly recommend all our users keep their Cloud Servers up to date on security updates provided by your operating system vendor.
Should you have any questions or concerns, please don’t hesitate to contact our support team.