Blog

Eclypsium Protection for “Downfall” Vulnerabilities on Intel processors

Overview

Amid several recently disclosed vulnerabilities in hardware/CPUs (including a voltage fault injection against AMD CPUs in Telsa vehicles, Zenbleed, AMD CPU attacks discovered by Tavis Ormandy, also a Google researcher, and Inception, a new attack also targeting AMD CPUs) Google research Daniel Maghimi disclosed vulnerabilities targeting Intel CPUs dubbed Downfall (CVE-2022-40982). Downfall exploits vulnerabilities associated with speculative execution, a technique used to boost performance, however, in some scenarios can be manipulated to access sensitive data. The vulnerability impacts 6th Skylake to 11th Tiger Lake generation Intel processors.

Detection

Soon after the news about the Downfall vulnerability broke out, our team added detection to the Eclypsium solution for the affected devices. This detection has been added to our platform (with a content update pushed to existing customers). 

Risk Analysis

This attack was used to demonstrate stealing cryptographic keys from Openssl, stealing secrets from the Linux kernel, breaking Intel SGX, and implementing a high bandwidth covert channel between separate processes. Since the “Meltdown” vulnerability was disclosed, this is the first hardware attack that enables a user to steal arbitrary data from the OS Kernel without relying on software vulnerabilities or Spectre gadgets.

To exploit this vulnerability and receive secret information that should be protected, the attacker needs to:

  1. Run code on the same physical core.
  2. Execute malicious code with specific instructions.
  3. Perform an analysis of the results. 

Our recommendations for defenders are to check which processors are affected and install the latest microcode update. Intel has provided a comprehensive list of affected processors here. Systems running untrusted code or responsible for separating trust domains are at higher risk.

Additional Resources