Big Cooperation’s speak on the Intel CPU ‘Downfall’ Vulnerabilities.

Major cooperation’s speak on the Intel CPU ‘Downfall’ vulnerabilities in response to the ‘downfall’ attack reported earlier this month. On the 10th August, fixitgearware.com publish its take on the downfall attack a side channel attack that enables a threat actor manipulate intel based CPU’s locally, obtaining sensitive information such as encryption keys, and passwords.

intel-gpu.png
An attack known as Downfall has been discovered in INTEL CPU, by a google researcher. The downfall attack, which is known to target weakness discovered in billions of modern processors. Image source Google.

The vulnerability which was discovered by a Team of Google Researchers and assigned the number CVE-2022-40982, is also noticed to affect the cloud environment allowing attackers, to exfiltrate sensitive data remotely via a web browser, although as reported by the researcher that more in-depth research is needed to find how.

The vulnerability, which is said to affect a few intel products such as Intel Core and Xeon processors, that were released over a decade ago. This led the manufacturers to swing into quick action to work on releasing security updates and mitigation with regards to the security weakness.

Also, in the article we wrote about the vulnerability impact on memory optimization features found in Intel Processors; we know it leverages two techniques such as – Gather Data Sampling (GDS), and Gather Value Injection (GVI).

The Google researcher by the name Daniel, also talked about how highly practical the exploit could steal encryption keys from OpenSSL, with a Proof-Of-Concept (POC).

It is noted since the last time the vulnerability was reported, several big organizations have swung into action in releasing advisories.

 In various blog contents written by this organizations, we will be summarizing their various opinion:

  • OpenSSL opinion on the vulnerability:

 

OpenSSL-opinion-on-the-vulnerability.png
OpenSSL advised its users to assume all information stored in a process that is vulnerable can be accessed by an attacker. Image-source: Google

In a blog post titled “OpenSSL Statement on the recent Intel/AMD Downfall/Inception Vulnerabilities”, gave an opinion on how both of the attacks (Downfall attack, and also the Inception attack on AMD based CPU’s) are microarchitectural side channel attacks, allowing unprivileged threat actors  on the same physical core of a victim or target system process, extract confidential information from that process.

In a post snippet we extracted, we could read a statement officially from them:

Firstly, it should be noted that while the Downfall vulnerability is demoed against OpenSSL, this is highly general microarchitectural side-channel attack which can compromise the security of essentially any software and is not specific to OpenSSL (nor something we could mitigate with code changes). This is not a vulnerability in OpenSSL.

OpenSSL further stated that:

The requirement for executing on the same physical core as a victim process can be met either by OS context switching or via hyperthreading. Because OpenSSL provides accelerated implementations of many cryptographic primitives using x86 SIMD instructions, if an attacker executes an attack using this vulnerability on a process performing cryptographic operations using OpenSSL, there is an elevated risk that the information they are able to extract will include cryptographic key material or plaintexts, as this material is likely to have been recently processed in the victim process using SIMD instructions.”

The company stated also; this doesn’t imply other information stored in a process are safe from being exploited. Users are advised to assume that all information stored in a process that is vulnerable can be accessed by an attacker.   OpenSSL also listed recommendations for the mitigation.

  • Google Cloud opinion on the vulnerability:

 

Google Cloud opinion on the vulnerability.png
Google has gone ahead to assure its customers that they are working with their partners to obtain security updates and deploy them accordingly. Image-source: Google.

In a security bulletin published stated that no action is required on the part of their customers, as they are working with their partners to obtain necessary patches, and will deploy them in accordance to priority to their fleets, while adopting the standard upgrade processes. This should be expected in the next several weeks they said.

Information on the process and step taken by Google cloud can be read.

  • AWS opinion on the vulnerability:

 

AWS-opinion-on-the-vulnerability.png
AWS has assured its users and customers that the inception attack did not affect any AWS instance or users data. Image-source: Google.

AWS also have their opinions published with regards to the attack. They stated that both AWS instance and data belonging to customers are not affected by the issue, and there is no action required on the customers’ part.  Also, a contact information was left with regards to any security questions related to the attack which its customers might have.

  • Microsoft opinion on the vulnerability:

Microsoft-opinion-on-the-vulnerability-scaled.png
Microsoft has assured its customers that no action is required to be taken on the users end, except those who have set their devices to custom maintenance configurations. Image-source: Google

The company employee by the name Deherman, published on their website about their awareness of the CVE-2022-40982, and that after proper evaluations, that its customers require no actions for the major issues detected. However, it said customers who have opted-out of auto-updates with their custom maintenance configurations need to take a quick action. The relevant details and answers to questions can be read here.

  • Cisco opinion on the vulnerability:

 

Cisco-opinion-on-the-vulnerability.png
Cisco has listed a number of their products affected by the bug, and disclosed their CVEs accordingly. Image-source: Google

In a quick summary of the bug, stated that the exposure is not configuration dependent, and that a list of Cisco products where affected, and the CVE numbers associated with them accordingly. The products are UCS B-Series (CVE-2022-41804); M6 Blade servers (CVE-2022-40982); UCS C-Series (CVE-2023-23908); and M6 Rack Servers (CVE-2022-37343). Information about the bug can be read here.

  • Citrix opinion on the vulnerability:

Citrix-opinion-on-the-vulnerability.png
Citrix stated that a series of Hypervisors were affected, and has gone ahead to release mitigating factors to fix this. Image-source: Google

Citrix published in a security bulletin that the Citrix Hypervisor, and XenServer, were impacted by this vulnerability. In a statement on the published article, they said:

“An issue has been discovered in Citrix Hypervisor 8.2 CU1 LTSR that may allow malicious, privilege code in a guest VM to cause host to crash.”

A list of mitigating factors, and requirements expected from their customers were stated here.

  • Dell opinion on the vulnerability:

 

Dell-opinion-on-the-vulnerability.png
Dell in a swift response has released security updates tag DSA-2023-180; remediating Dell client BIOS for all intel products. Image-source: Google

In a quick action to protect their vast customers across the globe, dell released a security update tag DSA-2023-180. The update is said to remediate Dell client BIOS for all intel products, which could be exploited by malicious attackers, with the intent on compromising affected systems.

  • Hewlett Packard (HP) opinion on the vulnerability:

 

Hewlett-Packard-HP-opinion-on-the-vulnerability.png
HP is aware of the vulnerability, and has been rolling out a list of firmware updates, and guidance to remediate this security flaws. Image-source: Google

In a statement issued by the company; that they have been informed by Intel, of the potentials associated with the vulnerability, and that the company is releasing a firmware update and prescriptive guidance to remediate the vulnerabilities. More details and a list of CVEs associated can be read from the website.

  • Lenovo opinion about the vulnerability:

Lenovo-opinion-about-the-vulnerability.png
Lenovo has gone ahead to release a strategy which includes updating system firmware, that corresponds to customers device model. Image-source: Google

The support page of Lenovo, has gone to outline a list of their products that has been impacted by this vulnerability, and the severity was recorded high by the company. This is due to a list of potential exploits discovered such as privilege escalation, Information disclosure, and Denial of Service (DOS) attack.

They have gone ahead to release a strategy for their customers with regards to the vulnerability; this includes updating the system firmware to a newer version which corresponds to the model used by their customers, as disclosed on the product impact section.

  • NetApp opinion about the vulnerability:

 

NetApp-opinion-about-the-vulnerability.png
NetAPP has no security update at the moment, but has assured its customers that they will announce as soon as they are made available, via the download section of their support website. Image-source: Google

The company said they will be an update as soon as patches are released. At the moment, the company has no software update remediating this issue, and stated that any software fixes, would be made available through the NetApp support website via the download section.

They also informed that their customers who do not have access to the support website, should immediately contact technical support with the information provided.

  • OVH opinion about the vulnerability:

OVH-opinion-about-the-vulnerability.png
OVH has advised its customers and users on how to mitigate this vulnerability, and listed a few of their microarchitectures that were affected by the downfall security flaw. Image-source: Google

The cloud service company has quite a list of their product impacted by the security flaws, and has gone ahead to release a list of mitigated products, and others that are still in the pipeline to be patched.

In a title head “How to mitigate the Downfall vulnerability.”, they stated that they are aware and listed a couple of their microarchitectures in a total number of 10, which were affected.

Information about the range of products, and its impact can be viewed on their website.

  • SuperMicro opinion about the vulnerability:

 

SuperMicro-opinion-about-the-vulnerability.png
SuperMicro release a security information in their bulletin, and has assured their users that they are testing their security updates to ensure proper product validation. Image-source: Google

In a written security bulletin titled Intel Platform Update (IPU) Update 2023.3, August 2023”, a list of intel security advisories associated with the said vulnerabilities were documented and summarized.  A total of 5-products were affected, and the company has gone ahead to mitigate these problems, in an updated firmware BIOS.

They also stated, that they are currently testing to ensure that affected products are properly validated, and advise their customers to please check the release notes for the resolution.

  • VMware opinion about the vulnerability:

VMware-opinion-about-the-vulnerability.png
VMware has informed its users that their hypervisors do not require security patches, however that users should review INTEL-SA-00828, to determine if their intel processor is affected or not. Image-source: Google

The company informed the general public in a statement issued by the security response center, of the possibility of their hypervisors being affected by the vulnerability if they are utilizing intel-based processor.

However, they stated that hypervisor patches are not required in solving this problem. They instructed that their customers using the VMware hypervisors should review INTEL-SA-00828, to ascertain if their intel processor is affected by the disclosure CVE-2022-40982.

An instruction was issued; that affected organizations should contact the support team of their hardware vendor on how to go about the security update.

  • Xen opinion about the vulnerability:

Xen-opinion-about-the-vulnerability.png
Xen released a series of command for their customers to disable the AVX, in the vm.cfg file, and also advised its users to visit intel support website on further documentation with regards to the vulnerability. Image-source: Google

All products of Xen were affected by the vulnerability, and their customers have been advised to see Intel documentation for a list of affected processors.

They also stated that this can be mitigated by disabling AVX, either by booting Xen with ‘cpuid=no-avx’ on the command line, or by specifying ‘cpuid=”host:avx=0”’ in the vm.cfg file of all untrusted VMs.

Other information such as resolutions, and release fixes can be found here.

  • Linux opinion about the vulnerability:

 

Linux-opinion-about-the-vulnerability.png
Linux has gone ahead to release security updates to a bunch of their distros (CloudLinux, Debian, RedHat, SUSE, UBUNTU). Image-source: Fixitgearware.com

The giant company which is known for its open-source Distros (Distribution Operating System), has gone ahead to release security updates to mitigate this security flaws.  The list of products updated include: CloudLinux, Debian, RedHat, SUSE, and UBUNTU.

We at fixitgearware advise that customers of these companies, or who use products manufactured by them, should head straight to the various organization websites associated with their products documented here in this article, and carryout all security recommendations.

Others who are yet to receive security patches from their vendors, should contact their organization various technical support channel, and continuously view the support group, for any new updates or patches that would be released. 

 

 

 

Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments