Thursday, November 30, 2023

Intel is Being Sued Over the ‘Downfall’ CPU Vulnerability for $10K per Plaintiff

A class-action lawsuit had been filed against Intel due to a critical “Downfall” vulnerability in Intel CPUs, a defect that Intel was aware of since 2018 but neglected to report.

According to Intel, the only way to “fix” it is to apply a patch that reduces CPU performance by up to 50% when performing some common computing tasks, such as encryption, gaming, and photo and video editing.

The plaintiffs are purchasers of Intel Central Processing Units (or “CPUs”). As a result, they are left with defective CPUs that are either extremely exposed to attacks or require drastic slowdowns.

Reports say they are not the CPUs that the class members and plaintiffs bought. They are significantly less valuable and perform very differently.

Five representative plaintiffs have filed a 112-page complaint in the San Jose Division of the Northern District of California United States District Court, claiming that Intel was aware of faulty instructions that allowed for the “Downfall” bug half a decade before any sort of fix was made available.

Plaintiffs seek compensation for Intel’s willful choice to sell processors with an obviously flawed design without disclosing the fact, as well as for a purported “fix” that destroys their CPU’s performance.

Downfall Attacks Found in Billions of Modern Processors

The vulnerability was identified as CVE-2022-40982, a 6.5 medium CVSS-rated information disclosure vulnerability in Intel’s sixth to eleventh-generation CPUs.

“Attackers can exploit the vulnerability and read data from other programs and memory areas,” the report said.

Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Downfall attacks target a critical flaw identified in billions of modern CPUs used in personal and cloud systems. This vulnerability allows a user to get access to and steal data from other users who share the same machine.

Daniel Moghimi, a security expert at Google, reported the vulnerability to Intel on August 24, 2022, but only made the vulnerability public on August 9, 2023.

High-end CPUs started to use branch prediction in the 1990s. This speculative process was meant to keep the CPU from stalling while it waited for data from relatively slow system memory. 

This technique made significant gains in computing power and efficiency possible, which also paved the way for the development of additional “speculative execution” strategies, such as subsystems that let CPUs carry instructions out of order and even anticipate how they will be executed in the future.

All modern CPUs have had these execution features in place for over ten years. These days, they are an essential component of every CPU produced by Intel and its rivals, and without them, the CPU performance cannot be anticipated to be high enough.

Modern CPUs also require “segmentation,” which means that privileged computer programs and the resources they consume (such as system memory and hardware) must be kept separate from user-run programs. This is also a fundamental feature of all modern CPUs.

However, Intel defectively designed these critical systems in billions of their CPUs. Intel CPUs are designed to discard the results of an execution if the CPU makes an incorrect assumption when speculatively executing instructions.

Rather, Intel’s CPUs leave behind “side effects”—data that persists in the CPU’s cache memory or temporary buffers even after the outcomes of the speculative execution are discarded.

“For years, Intel knowingly sold billions of CPUs with this massive vulnerability, which imperiled the foundation of secure networking, secure communications, and secure data storage for Intel CPUs used in PCs, in cloud servers, and in embedded computers used across the country in functional MRIs, power grids, and industrial control systems,” the report said.

After disclosing the Downfall vulnerability, Intel released a microcode upgrade that purportedly addressed the vulnerability. 

The truth is that Intel’s “mitigation” severely restricted the same systems—speculative execution and branch prediction—that are essential to the operation of any modern CPU, causing impacted CPUs to perform as much as 50% worse.

To “mitigate” their vulnerability to Downfall, plaintiffs are left with defective CPUs that must have significant performance and functionality impairments. These are not the CPUs they purchased.

Hence, the prosecution is seeking “monetary relief against Intel measured as the greater of (a) actual damages in an amount to be determined at trial or (b) statutory damages in the amount of $10,000 for each plaintiff.”

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.


Latest articles

Chrome Zero-Day Vulnerability That Exploited In The Wild

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this...

Iranian Mobile Banking Malware Steal Login Credentials & Steal OTP Codes

An Android malware campaign was previously discovered that distributed banking trojans targeting four major...

BLUFFS: Six New Attacks that Break Secrecy of Bluetooth Sessions

Six novel Bluetooth attack methods have been discovered, which were named BLUFFS (Bluetooth Forward...

Google Workspace’s Design Flaw Allows Attacker Unauthorized Access

Recent years saw a surge in cloud tech adoption, highlighting the efficiency through tools...

Serial ‘SIM Swapper’ Sentenced to Eight Years in Prison

In a digital age marred by deceit, 25-year-old Amir Hossein Golshan stands as a...

Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable to Takeover – Hunters

BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 - A severe design flaw...

Hackers Behind High-Profile Ransomware Attacks on 71 Countries Arrested

Hackers launched ransomware attacks to extort money from the following two entities by encrypting...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles