CPU Downfall and Zenbleed class attacks

Summary

Two side channel hardware vulnerabilities named Downfall (CVE-2022-40982) and Zenbleed (CVE-2023-20593) impact Intel and AMD processors.
"Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers. This vulnerability, identified as CVE-2022-40982, enables a user to access and steal data from other users who share the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages." [1]
"The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. " [1]
"Zenbleed, affecting AMD CPUs, shows that incorrectly implemented speculative execution of the SIMD Zeroupper instruction leaks stale data from physical hardware registers to software registers. Zeroupper instructions should clear the data in the upper-half of SIMD registers (e.g., 256-bit register YMM) which on Zen2 processors is done by just setting a flag that marks the upper half of the register as zero. However, if on the same cycle as a register to register move the Zeroupper instruction is mis-speculated, the zero flag doesnt get rolled back properly, leading to the upper-half of the YMM register to hold stale data rather than the value of zero. Similar to Downfall, leaking stale data from physical hardware registers expose the data from other users who share the same CPU core and its internal physical registers." [2]
These vulnerabilities may allow a local attacker to potentially access sensitive information, entire XMM/YMM/ZMM register (Downfall) and upper-half of 256-bit YMM Registers (Zenbleed).
Zenbleed is impacting all Zen 2 class processors :
- AMD Ryzen 3000 Series Processors
- AMD Ryzen PRO 3000 Series Processors
- AMD Ryzen Threadripper 3000 Series Processors
- AMD Ryzen 4000 Series Processors with Radeon Graphics
- AMD Ryzen PRO 4000 Series Processors
- AMD Ryzen 5000 Series Processors with Radeon Graphics
- AMD Ryzen 7020 Series Processors with Radeon Graphics
- AMD EPYC “Rome” Processors
Downfall is impacting Intel processor (6th Skylake to (including) the 11th Tiger Lake generation).
[1] https://downfall.page/ />[2] https://security.googleblog.com/2023/08/downfall-and-zenbleed-googlers-helping.html

Affected Products

Fortinet products are designed to not permit arbitrary code execution in the user space under regular conditions. Thus, even if the ongoing investigation reveals that certain products are affected, Downfall and Zenbleed exploitation would only be possible if the attack is combined with an additional local or remote code execution vulnerability.
At this stage of the investigation, the following products have been confirmed to not embed the affected processors, and are therefore NOT affected:
FortiSIEM
FortiOS
FortiWeb
FortiMail
FortiSwitch
FortiManager
FortiAnalyzer
FortiADC
FortiAuthenticator

Timeline

2023-09-20: Initial publication

References

• https://downfall.page/
• https://lock.cmpxchg8b.com/zenbleed.html
• https://security.googleblog.com/2023/08/downfall-and-zenbleed-googlers-helping.html
• https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html