Gather Data Sampling / CVE-2022-40982 / INTEL-SA-00828

ID 标签 785675
已更新 8/14/2023
版本 1.0
公共

Key Takeaways

  • Intel is providing a microcode update to mitigate GDS. No software changes are required to enable the mitigation.

  • Users should carefully consider the threat model applicable to their systems when deciding whether and where to mitigate GDS.

  • Intel is not aware of any instance of any of this vulnerability being exploited outside a controlled lab environment.

  • Operating system vendors (OSVs) provide options to opt out of the GDS mitigation.

author-image

作者

 Disclosure date: 
2023-08-08
Published date: 
2023-08-08
Shield Icon #74443 - Free Icons LibrarySeverity rating: 6.5 Medium Industry-wide severity ratings can be found in the National Vulnerability Database

Related Content

Aliases

  • Downfall

Overview

Gather Data Sampling (GDS) is a transient execution side channel vulnerability affecting certain Intel processors. In some situations when a gather instruction performs certain loads from memory, it may be possible for a malicious attacker to use this type of instruction to infer stale data from previously used vector registers. Similar to data sampling transient execution attacks like Microarchitectural Data Sampling (MDS), GDS may allow a malicious actor who can locally execute code on a system to infer the values of secret data which is otherwise protected by architectural mechanisms. GDS differs from the MDS vulnerabilities in both the method of exposure (which is limited to the set of gather instructions), and in the data exposed (stale vector register data only). Neither MDS nor GDS, by themselves, provide malicious actors the ability to choose which data is inferred using these methods.

GDS is assigned CVE-2022-40982 CVSS Base Score 6.5 Medium CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N.

Intel is providing a microcode update to mitigate GDS. No software changes are required to enable the mitigation. System administrators, application developers, and users should carefully consider the threat model applicable to their systems when deciding whether and where to mitigate GDS. Based on the environmental threat model, users may disable the GDS mitigation with options provided by operating system vendors (OSVs).

Intel is not aware of any instance of any of this vulnerability being exploited outside a controlled lab environment. 

For additional details, refer to the Gather Data Sampling technical documentation

Impact Summary

Malicious software may be able to infer data previously stored in vector registers used by either the same thread, or the sibling thread on the same physical core. These registers may have been used by other security domains such as other virtual machine (VM) guests, the operating system (OS) kernel, or Intel® Software Guard Extensions (Intel® SGX) enclaves. Note that no processors that support Intel® Trust Domain Extension (Intel® TDX) are affected by GDS. 

Mitigation

Intel is releasing a microcode update which blocks transient results of gather instructions to prevent attacker code from observing speculative results of gather loads. The mitigation is enabled by default when the patch is loaded, and cross-thread exposure is mitigated even with hyperthreading enabled. The microcode update provides an MSR interface that allows software to opt-out of the mitigation.

On processors affected by GDS, if Intel SGX is enabled and hyperthreading is disabled, loading the updated microcode will mitigate any potential direct attacks using GDS against Intel SGX enclaves. If Intel SGX is not enabled or if hyperthreading is enabled, the mitigation will not be locked, and system software can choose to enable or disable the GDS mitigation. There will be an Intel SGX TCB Recovery for those Intel SGX-capable affected processors.

No processors that support Intel TDX are affected by GDS.

For additional details, refer to the Gather Data Sampling technical documentation

Affected Processors

Refer to the 2022-2023 tab of the consolidated Affected Processors table: Gather Data Sampling column. 

Software Security Guidance Home | Advisory Guidance | Technical Documentation | Best Practices | Resources