Jump to content

Downfall (security vulnerability)

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Widefox (talk | contribs) at 19:15, 11 August 2023 (sep lead, unlink unlikely red, convert excessive EXT links to refs, "recent" {{when}} -> {{which}}, def acros per MOS, put alt name in bold firm sent per MOS, copyedit, destub). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
See also: Transient execution CPU vulnerability

Downfall, known as Gather Data Sampling (GDS) by Intel,[1] is a computer security vulnerability found in recent[which?] generations of Intel x86-64 microprocessors. It is a side-channel attack which relies on speculative execution of Advanced Vector Extensions (AVX) instructions to reveal the content of vector registers.[2][3]

Vulnerability

Intel's Software Guard Extensions (SGX) security subsystem is also affected by this bug.[3]

The Downfall vulnerability was discovered by the security researcher Daniel Moghimi, who publicly released information about the vulnerability in August 2023, after a year-long embargo period.[4][5]

Intel promised microcode updates to resolve the vulnerability.[1] The microcode patches have been shown to significantly reduce the performance of some heavily-vectorized loads.[6]

Patches to mitigate the effects of the vulnerability have also been created as part of the forthcoming version 6.5 release of the Linux kernel.[7] They include code to disable the AVX extensions entirely on CPUs for which microcode mitigation is not available.[8]

Vendor responses

References

  1. ^ a b "Gather Data Sampling / CVE-2022-40982 / INTEL-SA-00828". Intel. Retrieved 2023-08-08.
  2. ^ Newman, Lily Hay. "New 'Downfall' Flaw Exposes Valuable Data in Generations of Intel Chips". Wired. ISSN 1059-1028. Retrieved 2023-08-08.
  3. ^ a b Ilascu, Ionut (2023-08-08). "New Downfall attacks on Intel CPUs steal encryption keys, data". BleepingComputer. Retrieved 2023-08-08.
  4. ^ Wright, Rob (2023-08-08). "Google unveils 'Downfall' attacks, vulnerability in Intel chips". Security. Retrieved 2023-08-08.
  5. ^ Larabel, Michael (2023-08-08). "Intel DOWNFALL: New Vulnerability Affecting AVX2/AVX-512 With Big Performance Implications". www.phoronix.com. Retrieved 2023-08-08.
  6. ^ Liu, Zhiye (2023-08-10). "Intel's Downfall Mitigations Drop Performance Up to 39%, Tests Show". Tom's Hardware. Retrieved 2023-08-11.
  7. ^ Larabel, Michael (2023-08-08). "Linux 6.5 Patches Merged For Intel GDS/DOWNFALL, AMD INCEPTION". www.phoronix.com. Retrieved 2023-08-09.
  8. ^ Corbet, Jonathan (August 8, 2023). "Another round of speculative-execution vulnerabilities". lwn.net. Retrieved 2023-08-11.
  9. ^ https://aws.amazon.com/security/security-bulletins/AWS-2023-007
  10. ^ https://support.citrix.com/article/CTX569353/citrix-hypervisor-security-bulletin-for-cve202320569-cve202334319-and-cve202240982
  11. ^ https://www.dell.com/support/kbdoc/en-us/000216234/dsa-2023-180
  12. ^ https://security-tracker.debian.org/tracker/CVE-2022-40982
  13. ^ https://cloud.google.com/support/bulletins#gcp-2023-024
  14. ^ https://support.hp.com/us-en/document/ish_9021973-9021997-16/hpsbhf03859
  15. ^ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html
  16. ^ https://support.lenovo.com/us/en/product_security/LEN-134879
  17. ^ https://forum.qubes-os.org/t/qsb-093-transient-execution-vulnerabilities-in-amd-and-intel-cpus-cve-2023-20569-xsa-434-cve-2022-40982-xsa-435/20299
  18. ^ https://access.redhat.com/security/cve/cve-2022-40982
  19. ^ https://www.supermicro.com/en/support/security_Intel_IPU2023.3_Update
  20. ^ https://ubuntu.com/security/CVE-2022-40982
  21. ^ https://blogs.vmware.com/security/2023/08/cve-2022-40982.html
  22. ^ https://seclists.org/oss-sec/2023/q3/98
Retrieved from "https://en.wikipedia.org/w/index.php?title=Downfall_(security_vulnerability)&oldid=1169861246"