Title: EGI SVG 'ADVISORY' [TLP:CLEAR] HIGH risk Intel Downfall Vulnerability
[EGI-SVG-CVE-2022-40982]
Date: 2023-08-16
Updated: 2023-10-19, 2024-02-19
Affected software and risk
==========================
HIGH risk vulnerability concerning some Intel processors
Package : Intel processor firmware
CVE ID : CVE-2022-40982
CVSS Score : 6.5 [R 1]
A potential security vulnerability in some IntelĀ® Processors may allow
information disclosure. Intel is releasing firmware updates and an optional
software sequence to mitigate this potential vulnerability. [R 2] [R 3]
**UPDATE 2024-02-19**
RedHat has released various updates to various Linux versions since
this advisory was last updated, up to and including on 7th February.
But not yet for RHEL 7.
Actions required/recommended
============================
Sites are recommended to check whether their processors are affected, and if
they are update when updates are available.
Intel recommends that users of affected IntelĀ® Processors update to the
latest version firmware provided by the system manufacturer that addresses
these issues.
Various linux providers have or plan to provide this intel microcode fix as
part of their distributions, and sites may find it more convenient to update
from this route.
However, as there are reports of potentially significant, workflow-dependent
performance degradations that a site may deem unacceptable at this time, there
is a flag in the microcode to turn off the mitigation, as detailed further
e.g. in [R 4].
Component installation information
==================================
Sites who wish to update soon should see the intel page [R 1]
Sites running RHEL should see [R 4], [R 5]
Note that RedHat states that "this microcode update will be made available by
Red Hat in a further release of the `microcode_ctl` package. [R 4]
**UPDATE 2023-10-19**
RedHat said on 6th October 2023 'Solution Verified' as the updating
of the microcode firmware to version 20230808 or later.
**UPDATE 2024-02-19**
More updates are available for RHEL.
Sites running CentOS should also see [R 4], [R 5], [R 6]
Sites running Debian should see [R 7]
Sites running Ubuntu should see [R 8]
Sites running RockyLinux should see [R 9]
Sites running Almalinux should see [R 10]
Mitigation
==========
The vulnerability can be mitigated by installing updated CPU microcode,
Version 20230808 or later. [R 4]
More information
================
Although RedHat and others consider this to be 'Medium' risk, with a
CVSS score of 6.5, we the EGI SVG consider it to be 'High' risk because
for Grid and Cloud computing processors are accessible by a number of people.
In [R 3] for example, it states that in cloud computing environments, a
malicious customer could exploit the Downfall vulnerability to steal data
and credentials from other customers who share the same cloud computer.
Some performance degradation has been reported resulting from these updates.
At present, we do not know to what extent grid and cloud workflows at EGI
sites may be affected.
TLP and URL
===========
** CLEAR information - Unimited distribution
- see https://confluence.egi.eu/display/EGIG/Traffic+Light+Protocol
for distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2022-40982
Minor updates may be made without re-distribution to the sites.
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant
to EGI you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 99].
References
==========
[R 1] https://nvd.nist.gov/vuln/detail/CVE-2022-40982
[R 2] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html
[R 3] https://downfall.page/
[R 4] https://access.redhat.com/solutions/7027704
[R 5] https://access.redhat.com/security/cve/CVE-2022-40982
[R 6] https://lists.centos.org/pipermail/centos-announce/
[R 7] https://security-tracker.debian.org/tracker/CVE-2022-40982
[R 8] https://ubuntu.com/security/CVE-2022-40982
[R 9] https://errata.build.resf.org/
[R 10] https://errata.almalinux.org/
[R 99] https://documents.egi.eu/public/ShowDocument?docid=3867
Credit
======
SVG was alerted to this vulnerability by the UK security team and again by
Maarten Litmaath.
Timeline
========
Yyyy-mm-dd [EGI-SVG-CVE-2022-40982]
2023-08-09 SVG alerted to this issue by the UK security team
2023-08--- Investigation of vulnerability and relevance to EGI carried out
2023-08-15 EGI SVG Risk Assessment completed
2023-08-16 Advisory/Alert sent to sites
2023-10-19 Updated and placed on advisories.egi.eu
2024-02-19 Updated as more updates available for RHEL
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 99] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
-----------------------------
This advisory is subject to the Creative commons licence
https://creativecommons.org/licenses/by/4.0/
and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited.
-----------------------------
On behalf of the EGI SVG,