Intel Downfall Fallout: Processor Purchasers File Lawsuits Over Security Flaws
In August this year, Intel disclosed a security vulnerability named “Downfall,” tracked as “CVE-2022-40982.” This flaw leverages “Gather Data Sampling” to pilfer data and sensitive information from other users on computers, affecting numerous Core processors from the 6th generation Skylake to the 11th generation Rocket Lake and Tiger Lake.
According to media reports, several Intel processor purchasers have filed lawsuits, claiming that Intel was aware of the AVX side-channel vulnerability as early as 2018. However, Intel did not prioritize fixing architectural issues until the discovery of the “Downfall” vulnerability, which left millions of users vulnerable to security threats. Intel subsequently released an updated microcode to address the “Downfall” vulnerability, but it may result in significant performance degradation, potentially up to 50%.
The lawsuits filed mention that Intel while addressing the Spectre and Meltdown vulnerabilities in 2018, had already received reports from third-party researchers warning about the AVX side-channel vulnerability. Despite being aware of the situation five years ago, Intel seemingly disregarded it. Rumors suggest that Intel implemented a “secret buffer” related to the AVX instruction set, intending to temporarily suppress the vulnerability’s threat. However, this approach failed to resolve the issue and instead exacerbated it, leading to data and sensitive information theft.
“Worse yet, Intel had implemented secret buffers associated with these instructions, which it never disclosed to anyone,” the complaint says.
“These secret buffers, coupled with side effects left in CPU cache, opened what was tantamount to a backdoor in Intel’s CPUs, allowing an attacker to use AVX instructions to easily obtain sensitive information from memory —including encryption keys used for Advanced Encryption Standard (‘AES’) encryption — by exploiting the very design flaw that Intel had supposedly fixed after Spectre and Meltdown.”
The allegations in the lawsuits are serious, but Intel has yet to respond to these claims.
