The Downfall (Gather Data Sampling) Vulnerability on Intel CPUs (CVE-2022-40982)
A vulnerability called Gather Data Sampling (GDS), also known as “Downfall,” may cause the exposure of stale data, and may impact customers using certain Intel CPUs – specifically those that utilize Intel Advanced Vector Extensions 2 (Intel AVX2) and Intel Advanced Vector Extensions 512 (Intel AVX-512). Please read this blog post to learn about this security flaw and how to remedy it, and make sure to check back for any updates.
The Current Status of Gather Data Sampling (GDS)
This transient execution side-channel vulnerability in certain Intel CPUs may allow an attacker to use a data sampling attack to retrieve stale data from previously used AVX2 or AVX-512 vector registers. In the worst-case scenario, an attack can be used to extract cryptographic keys.
According to Red Hat, the Downfall vulnerability can be mitigated by installing updated CPU microcode. This microcode update will be made available in a further release of the microcode_ctl package.
Intel has also published a Gather Data Sampling Technical Paper and Intel Security Advisory INTEL-SA-00828.
What Are the Risks?
Registered as CVE-2022-40982, the GDS, or Downfall, vulnerability may enable the exposure of stale data from previous usage of vector registers due to CPU hardware optimization. The threat is confined to the same physical processor core and affects data processed by instructions using AVX instructions or internal vector registers implicitly.
The exposure is limited to a sampling basis and doesn’t directly allow an attacker to control or specify the source of the stale data.
Due to the shared resource nature of virtualization-based systems, where multiple virtual machines may be assigned to the same CPU cores, it is possible to exfiltrate information contained within different security contexts (i.e., other virtual machines or even the host) by exploiting this vulnerability.
The Performance Impact of the Downfall Vulnerability
The microcode mitigation’s performance impact is limited to applications using the gather instructions provided by AVX2 and AVX-512, and the CLWB instruction. Actual performance impact will depend on how heavily an application uses these instructions. Red Hat’s testing showed a significant slowdown in worst-case microbenchmarks but only low single-digit percentage slowdowns in more realistic applications.
So, what can you do right now to protect your systems from the GDS, a.k.a. Downfall vulnerability?
Install the Microcode Update: Check for the availability of the fix by monitoring the CVE page. The mitigation is enabled by default on affected CPUs after the microcode has been installed regardless of the kernel version in use.
Update the Kernel: This adds vulnerability and mitigation status reporting and the ability to disable the mitigation. The actual fix for the potential security problem is addressed by the microcode update itself, not the kernel patch.
Disable Mitigation (Optional): Users may decide to disable the mitigation after risk analysis by adding gather_data_sampling=off to the kernel command line or using mitigations=off.
Note: The CLWB performance loss is permanent on Skylake architectures regardless of later removal of the mitigation.
After applying the microcode and kernel updates, you can check the mitigation status by running one of the following commands:
# dmesg | grep "GDS: "
[ 0.162571] GDS: Mitigation: Microcode
# cat /sys/devices/system/cpu/vulnerabilities/gather_data_sampling
We will update this blog post as new pertinent information is discovered about this vulnerability. If you’re a KernelCare Enterprise user, follow our documentation on how to update microcode for the Linux distribution you use. Stay vigilant, and keep your systems updated to remain protected.