New Intel CPU vulnerability GDS/Downfall

  • Author

    Janne Ruostemaa

    Editor-in-Chief

  • About

    Type
    Blog
    Category
    Announcements

Posted on 22 August 2023

On August 8, 2023, Intel published a new security vulnerability that exploits Gather Data Sampling (GDS). Named Downfall by its discoverer, it impacts multiple generations of Intel processors used in both personal and cloud computers. Downfall is a transient execution side-channel vulnerability that targets a critical weakness found in many modern Intel processor models.

Following the publication of the new vulnerability affecting a subsection of our cloud infrastructure, we began to evaluate and implement the microcode update to mitigate the vulnerability.

No actions are required from customers.

Vulnerability

This vulnerability, identified as CVE-2022-40982 with a CVSS Base Score of 6.5 Medium, allows malicious software to possibly infer data previously stored in vector registers used by either the same thread or the sibling thread on the same physical CPU core. In cloud infrastructure, an exploiter could use the Downfall vulnerability to steal data and credentials from other customers who share the same compute host.

Similar to data sampling transient execution attacks like Microarchitectural Data Sampling (MDS), the Downfall vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software.

These registers may have been used by other security domains such as other Cloud Servers, the operating system kernel, or Intel Software Guard Extensions (Intel SGX) enclaves. This allows untrusted software to access data stored by other programs, which should not normally be accessible.

Mitigation

Downfall defeats fundamental security boundaries in most Intel-based systems and is effectively a successor to previous data-leaking vulnerabilities in Intel CPUs including Meltdown and Fallout (AKA MDS). Mitigations applied to the previous vulnerabilities are ineffective against Downfall.

Accompanied by the release, Intel has provided a microcode update to mitigate GDS, and no software changes are required to enable the mitigation. We have applied the updates across our cloud infrastructure without interruptions or action required from our customers.

Intel has acknowledged that their microcode mitigation for Downfall has the potential to impact performance where gather instructions are used in performance-critical applications. Performance impact might be most visible in certain single-thread/CPU tasks that explicitly use the AVX512 instructions – mostly with cryptographic operations like video encoding/transcoding. Intel has not relayed any estimated performance impact claims from this mitigation.

As always, we highly recommend all our users keep their Cloud Servers up to date on security updates provided by your operating system vendor.

Should you have any questions or concerns, please don’t hesitate to contact our support team.

Summer promotion!

Start your free 30-day trial today and discover why thousands of businesses trust UpCloud

  • $500 free credits
  • Risk-free trial
  • Optimized performance
  • Scalable infrastructure
  • Top-tier security
  • Global availability

Sign up

See also

Blog post banner about key learnings and insights from Cloudfest 2024.

Key learnings and insights from CloudFest 2024! 

Celebrating its 20th year, CloudFest 2024 sure did bring the party! Uniting almost twelve thousand cloud experts, the event was a true celebration of the […]

Fiona Horan

Enterprise Marketing Specialist

Developing SDN: Towards software-defined networking.

Developing SDN: Towards software-defined networking

The innovators of the future often rely on the freedoms provided by the supporting platforms to build new online services and web apps on creative ideas. […]

Janne Ruostemaa

Editor-in-Chief

When Do You Need a Kubernetes Operator? A Practical Guide

Discover when a Kubernetes Operator is essential for effective container orchestration and streamlined application management.

Anita Ihuman

Back to top