Intel and AMD platforms reportedly face newly surfaced CPU vulnerabilities codenamed Downfall & Inception, impacting the security and performance of several PCs. We will go into each platform's vulnerabilities individually to give readers an idea of the extent of the problems.
Intel DOWNFALL: Vulnerability Compromises HPC at a Large Scale
It has been revealed today that Intel has discovered a new vulnerability given the name "Downfall, " also called GDS (Gather Data Sampling). While the nickname given sounds alarming, the exposure, thankfully, doesn't have detrimental impacts and is confined to particular workloads. The newly discovered GDS vulnerability specifically affects processors with AVX2 and AVX-512 instruction sets. Intel states that GDS doesn't affect the latest generation CPUs; Tiger Lake/ Ice Lake lineups face disruptions.
Before going into the crux of the matter, an understanding of AVX2 and AVX-512 instruction sets becomes necessary. These instructions sets are part of Intel's x86 architecture and enhance a processor's SIMD (Single Instruction, Multiple Data) capabilities. They are specifically helpful in workloads that involve heavy computational work, such as simulations and development. Hence, this proves that the "Downfall" vulnerability affects specific applications.
Coming back to the topic, the word "Downfall" was formulated by Google's researcher Daniel Moghimi. It is used to label vulnerability that reveals hardware registry to software; in simple terms, it leaks out internal contents, potentially leading to data theft.
Before you start worrying, Intel has acknowledged the issue and released a microcode. However, the company has also stated that the "microcode" will affect workloads, especially HPC, where Intel has disclosed to its partners that there could be a 50% performance reduction. Intel has also suggested that customers "disable" the microcode if the vulnerability has impacted their system. Here is the company's statement regarding the exposure of "Downfall."
The security researcher, working within the controlled conditions of a research environment, demonstrated the GDS issue which relies on software using Gather instructions. While this attack would be very complex to pull off outside of such controlled conditions, affected platforms have an available mitigation via a microcode update. Recent Intel processors, including Alder Lake, Raptor Lake, and Sapphire Rapids, are not affected.
Many customers, after reviewing Intel's risk assessment guidance, may determine to turn off the mitigation via switches made available through Windows and Linux operating systems as well as VMMs. In public cloud environments, customers should check with their provider on the feasibility of these switches
-Intel
The statement above highlights that the vulnerability affects previous-generation CPUs, while recent processors remain untouched. As highlighted by Phoronix, Intel has already released a " 20230808 CPU microcode," which contains fixed for 3rd Gen Xeon Scalable CPUs and some Raptor Lake ones. Hence, this suggests that the vulnerability reached current-gen processors with much lesser intensity. Michael Larabel from Phoronix is currently compiling benchmarks to disclose the affected.
To sum it up, if you are an average consumer who isn't into heavy workloads. You shouldn't worry here. However, you should track the issue for corporations and clientele based on HPC and similar applications since it could impact your data. The microcode for the GDS vulnerability will have performance tradeoffs initially, but it will prevent a more significant incident which in this case is data theft. You can find the full list of affected chips here.
AMD Inception Vulnerability Affecting All Zen CPUs
Moving on to AMD's side, they have also encountered the "Inception" vulnerability. Pretty weird day for the industry, right? This was discovered by a team of professionals at ETH Zurich, which could also lead to a data leak.
"Inception" is a vulnerability involving misguiding a processor by creating an instruction that leads a CPU into a repeating function, ultimately leading to a data leak. While the speeds are as low as bytes per second, this could still be a potential threat for security organizations since "sensitive" data is often in small storage. In AMD's case, the issue spreads out to all existing CPUs, which is alarming. Here is what AMD has to say:
AMD has received an external report titled ‘INCEPTION,’ describing a new speculative side channel attack. AMD believes ‘Inception’ is only potentially exploitable locally, such as via downloaded malware, and recommends customers employ security best practices, including running up-to-date software and malware detection tools. AMD is not aware of any exploit of ‘Inception’ outside the research environment, at this time.
AMD recommends customers apply a µcode patch or BIOS update as applicable for products based on “Zen 3” and “Zen 4” CPU architectures. No µcode patch or BIOS update is necessary for products based on “Zen” or “Zen 2” CPU architectures because these architectures are already designed to flush branch type predictions from the branch predictor.
AMD plans to release updated AGESA versions to Original Equipment Manufacturers (OEMs), Original Design Manufacturers (ODMs) and motherboard manufacturers listed in the AMD security bulletin. Please refer to your OEM, ODM or motherboard manufacturer for a BIOS update specific to your product.
-AMD via ServeTheHome
Well, on AMD's side, things aren't looking good. The "Inception" issue has a large consumer base at threat, and the company doesn't employ a "mitigation policy" like Intel, which leads to a prolonged fix. We hope that the company issues a fix soon enough, and AMD recommends updating BIOS or utilizing a "µcode patch," which is basically categorized as a temporary fix. AMD highlights the CPUs affected by the Inception vulnerability on its homepage here.
The article has gone quite long, but the recently surfaced vulnerabilities have indeed surprised us. For now, the issue is much more extensive for corporations and people with sensitive data, and as mentioned earlier, an average user shouldn't worry (for now, at least). We will update the article as soon as further developments unveil.
Refference- https://wccftech.com
0 Comments