Intel and Microsoft have confirmed that almost all of Intel”s desktop processors, prior to 12th Gen CPUs, are vulnerable to a new Transient Execution or Speculative execution side-channel attack called Gather Data Sampling (GDS) vulnerability (codenamed “Downfall”). The new GDS flaw, dubbed “Downfall”, is tracked under CVE-2022-40982.
Intel says that 12th Gen and newer chips, like Alder Lake and Raptor Lake, come with Intel”s Trust Domain eXtension or TDX which isolates virtual machines (VMs) from virtual machine managers (VMMs) or hypervisors, hence isolating them from the rest of the hardware and the system. These hardware-isolated virtual machines are essentially what “Trust Domains” are and hence the name.
On its support document KB5029778, Microsoft explains:
Microsoft is aware of a new transient execution attack named gather data sampling (GDS) or “Downfall.” This vulnerability could be used to infer data from affected CPUs across security boundaries such as user-kernel, processes, virtual machines (VMs), and trusted execution environments.
Intel goes into more detail about Downfall or GDS on its website explaining how attackers can exploit stale data on Intel”s 7th Gen (Kaby Lake), 8th Gen (Coffee Lake), 9th Gen (Coffee Lake refresh), 10th Gen (Comet Lake) and 11th Gen (Rocket Lake on desktop/Tiger Lake on mobile), which lack previously mentioned TDX. It writes:
Gather Data Sampling (GDS) is a transient execution side channel vulnerability affecting certain Intel processors. In some situations when a gather instruction performs certain loads from memory, it may be possible for a malicious attacker to use this type of instruction to infer stale data from previously used vector registers. These entries may correspond to registers previously used by the same thread, or by the sibling thread on the same processor core.
Intel has confirmed the issue is resolved by microcode update (MCU) or Intel Platform Update (IPU) version 20230808 as the mitigation is enabled by default. Hence, users with 7th Gen, up to 11th Gen Intel CPUs are advised to update their motherboard firmware. You can do so by visiting the support section of your motherboard manufacturer”s website.
Though it notes that there may be some performance hit, in which case users can choose to “opt out”. Head over to Intel”s security advisory (INTEL-SA-00828) for more details.
