Major cooperation’s speak on the Intel CPU ‘Downfall’ vulnerabilities in response to the ‘downfall’ attack reported earlier this month.
On the 10th August, fixitgearware.com publish its take on the downfall attack a side channel attack that enables a threat actor manipulate intel based CPU’s locally, obtaining sensitive information such as encryption keys, and passwords.
The vulnerability which was discovered by a Team of Google Researchers and assigned the number CVE-2022-40982, is also noticed to affect the cloud environment allowing attackers, to exfiltrate sensitive data remotely via a web browser, although as reported by the researcher that more in-depth research is needed to find how.
The vulnerability, which is said to affect a few intel products such as Intel Core and Xeon processors, that were released over a decade ago. This led the manufacturers to swing into quick action to work on releasing security updates and mitigation with regards to the security weakness.
Also, in the article we wrote about the vulnerability impact on memory optimization features found in Intel Processors; we know it leverages two techniques such as – Gather Data Sampling (GDS), and Gather Value Injection (GVI).
The Google researcher by the name Daniel, also talked about how highly practical the exploit could steal encryption keys from OpenSSL, with a Proof-Of-Concept (POC).
It is noted since the last time the vulnerability was reported, several big organizations have swung into action in releasing advisories.
In various blog contents written by this organizations, we will be summarizing their various opinion:
OpenSSL opinion on the vulnerability:
In a blog post titled “OpenSSL Statement on the recent Intel/AMD Downfall/Inception Vulnerabilities”, gave an opinion on how both of the attacks (Downfall attack, and also the Inception attack on AMD based CPU’s) are microarchitectural side channel attacks, allowing unprivileged threat actors on the same physical core of a victim or target system process, extract confidential information from that process.
In a post snippet we extracted, we could read a statement officially from them:
“Firstly, it should be noted that while the Downfall vulnerability is demoed against OpenSSL, this is highly general microarchitectural side-channel attack which can compromise the security of essentially any software and is not specific to OpenSSL (nor something we could mitigate with code changes). This is not a vulnerability in OpenSSL.”
OpenSSL further stated that:
“The requirement for executing on the same physical core as a victim process can be met either by OS context switching or via hyperthreading. Because OpenSSL provides accelerated implementations of many cryptographic primitives using x86 SIMD instructions, if an attacker executes an attack using this vulnerability on a process performing cryptographic operations using OpenSSL, there is an elevated risk that the information they are able to extract will include cryptographic key material or plaintexts, as this material is likely to have been recently processed in the victim process using SIMD instructions.”
The company stated also; this doesn’t imply other information stored in a process are safe from being exploited. Users are advised to assume that all information stored in a process that is vulnerable can be accessed by an attacker. OpenSSL also listed recommendations for the mitigation.
Google Cloud opinion on the vulnerability:
In a security bulletin published stated that no action is required on the part of their customers, as they are working with their partners to obtain necessary patches, and will deploy them in accordance to priority to their fleets, while adopting the standard upgrade processes. This should be expected in the next several weeks they said.
Information on the process and step taken by Google cloud can be read.
AWS opinion on the vulnerability:
AWS also have their opinions published with regards to the attack. They stated that both AWS instance and data belonging to customers are not affected by the issue, and there is no action required on the customers’ part. Also, a contact information was left with regards to any security questions related to the attack which its customers might have.
Microsoft opinion on the vulnerability:
The company employee by the name Deherman, published on their website about their awareness of the CVE-2022-40982, and that after proper evaluations, that its customers require no actions for the major issues detected. However, it said customers who have opted-out of auto-updates with their custom maintenance configurations need to take a quick action. The relevant details and answers to questions can be read here.
Cisco opinion on the vulnerability:
In a quick summary of the bug, stated that the exposure is not configuration dependent, and that a list of Cisco products where affected, and the CVE numbers associated with them accordingly. The products are UCS B-Series (CVE-2022-41804); M6 Blade servers (CVE-2022-40982); UCS C-Series (CVE-2023-23908); and M6 Rack Servers (CVE-2022-37343). Information about the bug can be read here.
Citrix opinion on the vulnerability:
Citrix published in a security bulletin that the Citrix Hypervisor, and XenServer, were impacted by this vulnerability. In a statement on the published article, they said:
“An issue has been discovered in Citrix Hypervisor 8.2 CU1 LTSR that may allow malicious, privilege code in a guest VM to cause host to crash.”
A list of mitigating factors, and requirements expected from their customers were stated here.
Dell opinion on the vulnerability:
In a quick action to protect their vast customers across the globe, dell released a security update tag DSA-2023-180. The update is said to remediate Dell client BIOS for all intel products, which could be exploited by malicious attackers, with the intent on compromising affected systems.
Hewlett Packard (HP) opinion on the vulnerability:
In a statement issued by the company; that they have been informed by Intel, of the potentials associated with the vulnerability, and that the company is releasing a firmware update and prescriptive guidance to remediate the vulnerabilities. More details and a list of CVEs associated can be read from the website.
Lenovo opinion about the vulnerability:
The support page of Lenovo, has gone to outline a list of their products that has been impacted by this vulnerability, and the severity was recorded high by the company. This is due to a list of potential exploits discovered such as privilege escalation, Information disclosure, and Denial of Service (DOS) attack.
They have gone ahead to release a strategy for their customers with regards to the vulnerability; this includes updating the system firmware to a newer version which corresponds to the model used by their customers, as disclosed on the product impact section.
NetApp opinion about the vulnerability:
The company said they will be an update as soon as patches are released. At the moment, the company has no software update remediating this issue, and stated that any software fixes, would be made available through the NetApp support website via the download section.
They also informed that their customers who do not have access to the support website, should immediately contact technical support with the information provided.
OVH opinion about the vulnerability:
The cloud service company has quite a list of their product impacted by the security flaws, and has gone ahead to release a list of mitigated products, and others that are still in the pipeline to be patched.
In a title head “How to mitigate the Downfall vulnerability.”, they stated that they are aware and listed a couple of their microarchitectures in a total number of 10, which were affected.
Information about the range of products, and its impact can be viewed on their website.
SuperMicro opinion about the vulnerability:
In a written security bulletin titled “Intel Platform Update (IPU) Update 2023.3, August 2023”, a list of intel security advisories associated with the said vulnerabilities were documented and summarized. A total of 5-products were affected, and the company has gone ahead to mitigate these problems, in an updated firmware BIOS.
They also stated, that they are currently testing to ensure that affected products are properly validated, and advise their customers to please check the release notes for the resolution.
VMware opinion about the vulnerability:
The company informed the general public in a statement issued by the security response center, of the possibility of their hypervisors being affected by the vulnerability if they are utilizing intel-based processor.
However, they stated that hypervisor patches are not required in solving this problem. They instructed that their customers using the VMware hypervisors should review INTEL-SA-00828, to ascertain if their intel processor is affected by the disclosure CVE-2022-40982.
An instruction was issued; that affected organizations should contact the support team of their hardware vendor on how to go about the security update.
Xen opinion about the vulnerability:
All products of Xen were affected by the vulnerability, and their customers have been advised to see Intel documentation for a list of affected processors.
They also stated that this can be mitigated by disabling AVX, either by booting Xen with ‘cpuid=no-avx’ on the command line, or by specifying ‘cpuid=”host:avx=0”’ in the vm.cfg file of all untrusted VMs.
Other information such as resolutions, and release fixes can be found here.
Linux opinion about the vulnerability:
The giant company which is known for its open-source Distros (Distribution Operating System), has gone ahead to release security updates to mitigate this security flaws. The list of products updated include: CloudLinux, Debian, RedHat, SUSE, and UBUNTU.
We at fixitgearware advise that customers of these companies, or who use products manufactured by them, should head straight to the various organization websites associated with their products documented here in this article, and carryout all security recommendations.
Others who are yet to receive security patches from their vendors, should contact their organization various technical support channel, and continuously view the support group, for any new updates or patches that would be released.
Please do let us know in the comment section what are your thoughts about this.