Security researcher Daniel Moghimi discovered a new side-channel vulnerability affecting Intel processors that could be exploited to steal data from other users or apps running on the same computer. Dubbed Downfall, the vulnerability has been patched by Intel and mitigated by most major OS vendors.

According to Moghimi, who is senior research scientist at Google, most computer users are affected by Downfall, either directly or indirectly, given the market share that Intel processors own of the Cloud computing market. In Downfall case, additionally, even disconnected devices, such as laptop and desktop computers, are affected.

A malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages.

Affected CPUs are any Intel Core processor from the Skylake to the Tiger Lake generations. This spans a significant amount of years since Skylake was introduced in 2014.

Downfall is caused by a memory optimization feature in those Intel processors aimed at speeding up access to scattered data in memory using the Gather instruction. As Moghimi demonstrated, this instruction leaks the content of the internal vector register file during speculative execution, which makes the content of hardware registers unintentionally available to any software running on the same CPU. This implies an untrusted program can access data stored in those registers by other programs.

To prove Downfall, Moghimi developed two attack techniques, named Gather Data Sampling (GDS) and Gather Value Injection (GVI), and showed how you can steal 128-bit and 256-bit AES keys or arbitrary data from the Linux kernel, and even spy on printable characters. Moghimi says that GDS is highly practical and it only took two weeks for him to carry through a first successful attack.

On the good side, this vulnerability does not seem to be easily exploitable without having physical access to the target computer. Indeed, says Moghimi, there is no current evidence that a Downfall attack could be carried through in a browser.

To prevent this vulnerability from being exploited, Intel released firmware updates for all affected CPUs. The microcode updates are available on Intel public GitHub repository. Non-SGX processors may be patched at the OS level, while SGX CPUs require a more complex process.

Debian, Ubuntu, Gentoo and others have already made available microcode updates, while Redhat stated a microcode update will be made available in a coming release of their microcode package. Amazon, Google, and Microsoft have all released statements to inform their users of the possible impact of this vulnerability.