New day, new security breach. After ten days ago we learned about a flaw in AMD’s Zen 2 processors, now it’s Intel’s turn. Billions of Intel processors have a security flaw that allows attackers with access to the computer to steal sensitive data such as passwords, email, messages, payment card data, and encryption keys.

The flaw is called “Downfall” and was discovered by Google security expert Daniel Moghimi. Downfall affects all Intel processors from Skylake to IceLake. For better illustration, all generations of processors from the 6th to the 11th are affected, practically all processors released in the 9 years before the company released Alder Lake and Raptor Lake. An attacker working on the same computer as the victim can gain access to data protected by Software Guard eXtensions (SGX) protection. This applies to home computers as well as cloud servers.

“The vulnerability identified as CVE-2022-40982 allows users to access and steal data from other users who share the same computer. For example, a malicious application can use Downfall to steal data such as passwords, encryption keys and private data such as bank accounts, email or messages. Similarly, in the cloud, a malicious customer can use Downfall to steal data or a username and password combination from other customers with whom they share the same cloud computer.”

Mogimi sent the details of the flaw to Intel on August 24 last year. The announcement comes a year later, as Intel needed time to make the necessary changes.

A new security flaw in processors

According to the assessment on Intel’s website, the vulnerability is rated at 6.5 or medium threat level. Just because access to the computer is required the estimated danger of the attack is not extremely high. Downfall is identified by code CVE-2022-40982. In order to access the sensitive data, the attacker and the victim must use the same physical core. The attacker in this case is a malicious application.

Theoretically, there is a possibility of abuse of the loophole and at a distance, but there is no proof of concept for this.

“The cause of the flaw is Intel’s memory optimization functionality inadvertently exposing internal hardware registers to software. This allows untrusted software to access data of other programs that should not normally be accessible. I discovered that the Gather instruction, which is intended to speed up access to scattered data in memory, leaks the internal vector register file during speculative execution. To exploit the flaw, I use Gather Data Sampling (GDS) and Gather Value Injection (GVI) techniques,” says Mogimi.

The expert also shares several examples of exploiting the flaw in which he managed to “steal” another user’s 128-bit and 256-bit AES keys; Linux Kernel data; tracing printable characters. Thanks to the flaw, an attacker can gain access to passwords or encryption keys that can be used in other attacks. In the proof-of-concept examples for 100 AES-128 keys it takes one try, for AES-256 key discovery on the first try is 86% successful. The reason AES-256 required more attempts is that the key did not appear often enough in 10 seconds.

Intel has released microcode that overcomes the flaw and disables the observation of Gather data. Unfortunately as it usually happens the patch is at the detriment of performance.

Source: https://it.mk/downfall-e-seriozen-propust-na-protsesorite-od-intel/