A new vulnerability for Intel chips has been discovered by Google, threatening to expose sensitive data. The vulnerability, called CVE-2022-40982, exploits a weakness in speculative data gathering functions in superscalar processors, which are dominated by Intel. It affects Intel’s Core processors from the sixth-generation Skylake series to the 11th-generation Tiger Lake chips. This vulnerability allows an attacker to access and steal data from another user on the same CPU, potentially obtaining passwords, encryption keys, and other valuable information.
The discovery of CVE-2022-40982 was made by Daniel Moghimi, a senior research scientist at Google. He will be discussing his findings at Black Hat USA 2023. Moghimi found that the “Gather” instruction, which is designed for faster access to data in memory, leaked data during speculative execution. This instruction is meant to collect data in memory and move it to the CPU’s vector register. However, Moghimi found that it could be abused by threat actors to leak and steal data.
Moghimi explained that the root cause of the problem is not the Gather instruction itself but the fact that the CPU’s vector register, which is essentially memory inside the CPU core, is shared with other applications. Isolating this memory is difficult, making it vulnerable to data leaks. To exploit CVE-2022-40982, Moghimi developed two attack techniques: Gather Data Sampling and Gather Value Injection. The former allows an attacker to steal data from CPU components, while the latter turns the data leaks into microarchitectural data injections.
While Downfall attacks could be devastating in cloud infrastructures or virtual machines, Moghimi emphasized that endpoint devices are also at risk. In theory, this attack could be executed in a web browser, although it has not been tested for Downfall. If a personal computer is infected with malware, this exploit could enable the malware to steal additional data that it wouldn’t otherwise have access to.
Intel has released new microcode updates for CVE-2022-40982, along with a list of affected processors. These updates aim to close off the data leakage but come at a cost. According to Moghimi, some workloads could suffer up to 50% overhead. Disabling the Intel mitigations for performance reasons is strongly discouraged, as it would continue to leak data. Moghimi also noted that other CPU vendors should be alarmed by the Downfall findings, although preliminary tests on AMD Zen2 chips showed no signs of data leakage.
The reason CVE-2022-40982 and the Gather-related attacks weren’t discovered earlier, according to Moghimi, is because there has been less research and focus on SIMD (single instruction, multiple data) instructions and advanced CPU extensions. More attention has been devoted to normal instructions following the disclosures of Meltdown and Spectre vulnerabilities. Moghimi also highlighted the importance of architectural changes for future Intel chips if similar vulnerabilities were to arise involving multiple instructions leaking data from register files.
In conclusion, the newly discovered vulnerability, CVE-2022-40982, poses a serious threat to Intel chips, potentially exposing sensitive data. Intel has released mitigations in the form of microcode updates, but these updates come with overhead costs. It is important for organizations and users to install these updates and not disable them for performance reasons. Additional research and attention are needed to study this class of vulnerability and its potential impact on other CPU vendors.