“Downfall” bug affects years of Intel CPUs, can leak encryption keys and more

By | August 9, 2023
An 8th-generation Intel Core desktop CPU, one of several CPU generations affected by the Downfall bug.
Enlarge / An 8th-generation Intel Core desktop CPU, one of several CPU generations affected by the Downfall bug.
Mark Walton

It’s a big week for CPU security vulnerabilities. Yesterday, different security researchers published details on two different vulnerabilities, one affecting multiple generations of Intel processors and another affecting the newest AMD CPUs. “Downfall” and “Inception” (respectively) are different bugs, but both involve modern processors’ extensive use of speculative execution (a la the original Meltdown and Spectre bugs), both are described as being of “medium” severity, and both can be patched either with OS-level microcode updates or firmware updates with fixes incorporated.

AMD and Intel have both already released OS-level microcode software updates to address both issues. Both companies have also said that they’re not aware of any active in-the-wild exploits of either vulnerability. Consumer, workstation, and server CPUs are all affected, making patching particularly important for server administrators.

It will be up to your PC, server, or motherboard manufacturer to release firmware updates with the fixes after Intel and AMD make them available.

Intel’s Downfall

A DALL-E 2-generated logo for the "Downfall" CPU vulnerability.
A DALL-E 2-generated logo for the “Downfall” CPU vulnerability.
Daniel Moghimi/DALL-E 2

We’ll cover the Downfall bug first, since it affects a wider swath of processors.

Also known as CVE-2022-40982, the Downfall bug exploits a flaw in the “Gather” instruction that affected Intel CPUs use to grab information from multiple places in a system’s memory. According to Google security researcher Daniel Moghimi, the bug causes the CPU to “unintentionally reveal internal hardware registers to software,” which “allows untrusted software to access data stored by other programs.” Moghimi’s proof-of-concept shows Downfall being used to steal encryption keys from other users on a given server, as well as other kinds of data.

For systems that use Intel’s Software Guard Extensions (SGX) memory encryption, Intel’s microcode fix must be loaded via firmware; for systems without SGX, the new microcode fix can be loaded via firmware or at the OS level.

Moghimi has published a white paper (PDF) along with the Downfall website (and its DALL-E 2-generated logo). He says he disclosed the bug to Intel about a year ago and describes Downfall as a “successor” to previous speculative-execution bugs like Meltdown and Fallout.

According to Intel’s support pages—one here for the Downfall bug, one here that lays out the status of multiple CVEs across Intel’s CPU lineup—Downfall affects all processors based on the Skylake, Kaby Lake, Whiskey Lake, Ice Lake, Comet Lake, Coffee Lake, Rocket Lake, and Tiger Lake architectures, along with a handful of others.

For those of you who can’t keep your lakes straight, that means most CPUs in Intel’s 6th through 11th-generation Core lineups for consumer PCs, sold starting in 2015 and still available in some new systems today. Downfall also affects Xeon server and workstation processors and any Pentium and Celeron processors based on those same architectures.

Not affected are Intel’s newer 12th- and 13th-generation CPU architectures (aka Alder Lake and Raptor Lake), low-end CPUs in the Atom, Pentium, and Celeron families (Apollo Lake, Jasper Lake, Gemini Lake, and others), or older CPU architectures like Haswell and Broadwell (currently only officially supported in servers, but also used in 4th- and 5th-generation Core CPUs for consumer PCs).

Intel says that mitigations for downfall can reduce performance for workloads that rely on the Gather instruction by up to 50 percent. There is “an opt-out mechanism” that can disable the fix to restore full speeds, though Moghimi doesn’t recommend using it.

AMD’s Inception

If Downfall is a descendant of Meltdown, then Inception, also known as CVE-2023-20569, is a side-channel vulnerability descended from the Spectre bug. It’s actually a combination of attacks, one that makes the CPU think that it performed a misprediction, and a second that uses the “phantom speculation” trigger to “manipulate future mispredictions.” More detail is available in the white paper (PDF).

The end result, according to security researchers in ETH Zürich’s COMSEC group, is a vulnerability that “leaks arbitrary data” on affected Ryzen, Threadripper, and EPYC CPUs. The group published a proof-of-concept video in which they cause a CPU using AMD’s latest Zen 4 architecture to leak a system’s root password.

Mitigating the risk somewhat, AMD “believes this vulnerability is only potentially exploitable locally, such as via downloaded malware.”

COMSEC says that the bug affects “all AMD Zen CPUs,” but AMD itself says that Inception fixes are only necessary for processors using Zen 3 or Zen 4-based CPU cores. This includes Ryzen 5000- and 7000-series desktop CPUs, some Ryzen 5000 and 7000-series laptop CPUs, all Ryzen 6000-series laptop GPUs, Threadripper Pro 5000WX workstation CPUs, and 3rd- and 4th-gen EPYC server CPUs. Some AGESA firmware updates for these chips are available now, and others should be available sometime between now and December of 2023, and OS-level microcode updates are available in the meantime.

If you do have an older AMD processor, Zen 2-based Ryzen chips did get their own speculative execution exploit just last month, in the form of “Zenbleed.” This bug can also be used to obtain encryption keys and other user information under specific circumstances. As with Inception, OS-level microcode fixes are already available, but AMD may likewise take a few months to release new firmware versions with the fixes incorporated.

Source