"Downfall" Intel CPU Vulnerability Can Impact Performance By 50%

[MarsM4N]

Exactly. But they're also NOT clairvoyant. There are times when it is impossible to see a problem coming until it's already behind you.

They could bigly reduce such "unforeseen consequences" with proper QA. But they're doing the exact opposite, cutting corners wherever they can to increase profits for shareholders. Just look at all the late scandals, not only in tech. Food safety, drug safety, finance, you name it. And when stuff gets public they all act surprised. On top governments let them way too easy of the hook "to protect jobs", which kinda encourages them to not change a thing.

Also it's not surprising that tech security flaws stay undetected for soo long. There are not many people on the planet who actually have a understanding for the tech, and those who do work either for the tech companies, the GOV or bad actors. And none of them are interested in making security flaws public, two of them even abuse them. That's why most security flaws are reported by private researchers.

 

[TumbleGeorge]

It affects too many generations to seem like a "monthly cycle". It still looks to me like a materialized intention to retire these generations at some moment and force customers to buy newer ones.

 

[Patriot]

Downfall also relies on SMT as the attacker should be running on the same core as the victim. These cloud providers should stop running programs from different customers on the same cores.

It's not just a different customer issue, its a about pivoting from a useless VM of one customer to a more useful VM of the same customer. Being able to pivot across VMs is highly useful for a hacker "going deep" (shrugs)

 

[GreiverBlade]

But regardless, I'm not sure if this is an odd thought.. but I can't shake the feeling sometimes that Intel purposely cuts corners to increase performance while increasing security vulnerabilities...

i wrote that, since first vulnerability and first mitigation patch "another "improvement" that made Intel the top dog turned out to be a vulerability?"

well AMD also have some of their own ofc ... but still ...

 

[ncrs]

Downfall also relies on SMT as the attacker should be running on the same core as the victim.

It does not rely on SMT since it works with just context-switching. Disabling SMT is not a mitigation for this vulnerability, from the paper:

Disabling SMT, i.e., hyperthreading can partially mitigate GDS and GVI attacks in exchange for losing performance. A computer with hyperthreading is 30% faster than an identical system [7], which makes disabling SMT expensive for customers. Besides, it does not prevent data leaks across context switching.

 

[AusWolf]

How does one get the microcode update?

 

[Mussels]

These level of attacks are like those early point and click adventure games



You have to take the dog for a walk, find a stick, throw the stick, have the dog get stung by a bee so the dog runs into a lady with an umbrella who throws the umbrella that gets caught in a gust of wind and flies off to impale a pigeon flying nearby that lands on a mans lap, so he throws his briefcase right as he unlocked it and it goes past your eyes so you can get a glimpse of the contents in the reflection of the poop from the pigeon on your shoe.

Or like with ChatGPT where it wouldnt tell you certain forbidden things, but you could ask it to tell you a story about it while pretending to be your grandmother telling a bedtime story and it bypassed the security check - sometimes you just can't predict these things in advance and fixing them could break a thousand other things, or create even worse vulnerabilities.



So many of these attacks tie into SMT/hyperthreading, makes me wonder if that'll die off with E/C cores now.

 

[ncrs]

How does one get the microcode update?

You have two choices: BIOS update from the motherboard vendor or operating system support:

• On Linux you install appropriate packages, for example in Debian intel-microcode or amd64-microcode (for AMD).
• On Windows you have to wait for Microsoft to distribute the updated microcode via Windows Update, they do not do this often and not for every microcode release.

 

[mkdr]

Why no benchmarks for AMD Ryzen so far?

 

[freeagent]

Why no benchmarks for AMD Ryzen so far?

Because this post is about Intel. Not AMD.

 

[AusWolf]

These level of attacks are like those early point and click adventure games



You have to take the dog for a walk, find a stick, throw the stick, have the dog get stung by a bee so the dog runs into a lady with an umbrella who throws the umbrella that gets caught in a gust of wind and flies off to impale a pigeon flying nearby that lands on a mans lap, so he throws his briefcase right as he unlocked it and it goes past your eyes so you can get a glimpse of the contents in the reflection of the poop from the pigeon on your shoe.

Or like with ChatGPT where it wouldnt tell you certain forbidden things, but you could ask it to tell you a story about it while pretending to be your grandmother telling a bedtime story and it bypassed the security check - sometimes you just can't predict these things in advance and fixing them could break a thousand other things, or create even worse vulnerabilities.



So many of these attacks tie into SMT/hyperthreading, makes me wonder if that'll die off with E/C cores now.

It makes me wonder if these vulnerabilities really deserve the attention they get. I mean, sure, someone could potentially hack your PC doing the point-and-click steps you described, but why would they?

These news are way more important for businesses than for us, imo.

 

[R0H1T]

There are probably a lot more vulnerabilities which aren't going to be reported, some baked in by you know who! Patching them would probably be just as easy (or hard) as Smeltdown but they won't get the press we need mostly because of vested interests. Yeah looking at you NSA

 

[lexluthermiester]

They could bigly reduce such "unforeseen consequences" with proper QA.

I presume you're being silly.

How does one get the microcode update?

Don't worry about it. I've been studying this. It's another one of those "It's possible but so difficult to pull off in the wild that the common user will never encounter it" kinds of things. Businesses and Corps need to worry about this. The general populace does not.

And before anyone says it, there will not be any JS based exploits one can load in a browser page. It's detailed in the description;

CVE - CVE-2022-40982

cve.mitre.org

"Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access."
Admin/Root access is required in addition to local(direct physical) access to the system in question. Remote exploitation is not possible without direct user action and interaction.

There are probably a lot more vulnerabilities which aren't going to be reported, some baked in by you know who! Patching them would probably be just as easy (or hard) as Smeltdown but they won't get the press we need mostly because of vested interests. Yeah looking at you NSA

Oh please with that tin-hat nonsense...

 

[mkdr]

Don't worry about it. I've been studying this. It's another one of those "It's possible but so difficult to pull off in the wild that the common user will never encounter it" kinds of things.

what you mean with that? everyone will get the mitigation microcode updates over time, forced by Windows and Linux updates. so you should not worry about your Pc becoming super slow? im not worried about security, im worried only about performance.

 

[lexluthermiester]

what you mean with that? everyone will get the mitigation microcode updates over time, forced by Windows and Linux updates. so you should not worry about your Pc becoming super slow? im not worried about security, im worried only about performance.

No. What I'm saying is that that like all the other "patches", you can quite safely skip it, block it, remove it, whatever and not actually effect the safety and security of your PC.

Put another way, this is very nearly nothing-sauce. The user does NOT need to worry about it.

 

[mkdr]

safely skip it, block it, remove it

you cant.

 

[Ferrum Master]

what you mean with that? everyone will get the mitigation microcode updates over time, forced by Windows and Linux updates. so you should not worry about your Pc becoming super slow? im not worried about security, im worried only about performance.

You cannot disable them all in windows, it is baked in kernel. You will not have a choice.

Don't care use linux. Add in grub mitigations=off and run it like in 2010.

 

[lexluthermiester]

you cant.

Yes, you can.

You cannot disable them all in windows, it is baked in kernel. You will not have a choice.

Totally not true.

But I'm not getting into this silly debate/argument.

 

[mkdr]

Yes, you can.

The mCode will be included in the next AGESA / Intel bios update, ERGO are you forced to install it if you want the next updates too, as simple as that. You cant block mCode updates under Windows easily, you need to delete dll files in system folder which is just BAD BAD BAD, and Windows will replace them next boot. The registry mitigation toggle are not for every mitigations, just most of them, and also you dont know YET if the mitigations for Downfall and Inceptions also will get a toggle under Windows like Spectre and Meltdown.

 

[AusWolf]

The mCode will be included in the next AGESA / Intel bios update, ERGO are you forced to install it if you want the next updates too, as simple as that. You cant block mCode updates under Windows easily, you need to delete dll files in system folder which is just BAD BAD BAD, and Windows will replace them next boot. The registry mitigation toggle are not for every mitigations, just most of them, and also you dont know YET if the mitigations for Downfall and Inceptions also will get a toggle under Windows like Spectre and Meltdown.

That begs the question: do you really need the next BIOS update?

 

[lexluthermiester]

The mCode will be included in the next AGESA / Intel bios update

Perhaps.

ERGO are you forced to install it if you want the next updates too, as simple as that.

You really don't understand how things really work do you? That's ok. You carry on..

 

[ncrs]

And before anyone says it, there will not be any JS based exploits one can load in a browser page. It's detailed in the description;

CVE - CVE-2022-40982

cve.mitre.org

"Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access."

Please don't spread disinformation. In CVSS v3 and newer Attack Vector: Local does not mean what you think it means.

From the CVSS v3.1 specification:

Local (L)

The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)

This means that making a user visit a compromised website is also considered "local". So potentially this vulnerability could be exploited "remotely" via a web browser.

Admin/Root access is required in addition to local(direct physical) access to the system in question. Remote exploitation is not possible without direct user action and interaction.

That's not true. In CVSS v3 and never direct physical requirement is denoted by AV: P - Physical.
Please read the actual paper as well. It clearly states that the exploit works from non-admin accounts:

Discovered vulnerability The observed data leak confirms a critical vulnerability that is exploitable from user space.

 

[lexluthermiester]

That begs the question: do you really need the next BIOS update?

There's an old saying, if not broken, don't fix it...

These level of attacks are like those early point and click adventure games.

You have to take the dog for a walk, find a stick, throw the stick, have the dog get stung by a bee so the dog runs into a lady with an umbrella who throws the umbrella that gets caught in a gust of wind and flies off to impale a pigeon flying nearby that lands on a mans lap, so he throws his briefcase right as he unlocked it and it goes past your eyes so you can get a glimpse of the contents in the reflection of the poop from the pigeon on your shoe.

THIS!

 

[mkdr]

do you really need the next BIOS update?

Yes I need them. AMD AGESA updates are needed, as shown in the last years. Every single AGESA update was a big "yes you need it" update. For Intel, not really.

 

[lexluthermiester]

Every single AGESA update was a big "yes you need it" update.

No they are not. And if you really believe that, I have a bridge in Brooklyn NYC I'd like to sell you...