Leveraging Observability Data for Downfall and Inception Vulnerability Analysis

In early August 2023, both Intel and AMD confirmed vulnerabilities in their CPUs. Specifically, a security expert named Daniel Moghimi at Google discovered a vulnerability dubbed “Downfall” (CVE-2022-40982) in Intel’s chipset. This vulnerability allows attackers to exploit it, potentially gaining access to data from other applications or memory areas. Similarly, researchers Daniel Trujillo, Johannes Wikner, and Kaveh Razavi from ETH Zurich discovered a comparable exploit in AMD’s chipset, which they named “INCEPTION” (CVE-2023-20569).

Fortunately, both exploits have been classified with a severity rating of “Medium” by Intel and AMD. The risk only becomes significant if an attacker manages to execute a piece of code on the vulnerable computer. This can happen, for example, through malware. Once executed, this code can read sensitive information, such as passwords, from the compromised device.

How many computers are affected in my organization?

The challenge when that happens for corporate administrators and security officers is to figure out exactly what this means and how many computers in your organization are affected. This becomes especially crucial as both Intel and AMD are already rolling out firmware updates to address the security gap. Prompt installation of these updates is paramount.

Organizations using observability solutions like Riverbed now have a powerful tool to gain insights into the vulnerability landscape. In the example shown below, I leveraged data from the desktops/laptops to automatically create a list of affected devices. To achieve this, I configured Riverbed Aternity to retrieve and evaluate additional information such as CPUID and MCU (for Intel) from the CPUs. In practical terms, you only need to import a Custom Device Attribute Monitor into the configuration of Aternity and access the corresponding dashboard. The advantage here is that the CPU data can seamlessly analyzed alongside existing observability data.

At a glance, it’s evident that 60% of the devices are undeniably affected by the security vulnerability, while an additional 17% require manual inspection due to undetermined firmware versions, yet the CPUs are classified as “affected.”

Plan and monitor your next steps

Some hardware vendors, like Lenovo, already released BIOS or firmware updates to to mitigate this risk. For instance, Lenovo provided an update (Version 1.54) for the ThinkPad T14s Gen 2i. However, here’s where the challenge arises. IT organizations must plan, execute, and validate the successful deployment of these updates. Many companies rely on automatic updates facilitated by hardware manufacturer tools, but the visibility into their effectiveness or user permissions isn’t always clear. This is where observability data becomes invaluable.

In our example above, we have 16 Lenovo T14s Gen 2i devices, with only one device having the necessary BIOS version to address the vulnerability, while the others have various versions. With this information, the IT department now knows that 15 devices require prompt updates. To facilitate this, the Riverbed Aternity Remediation Action can be employed.

Observability data can switch on the lights

If you already use Riverbed Aternity, look for the CPU Vulnerability Analysis Dashboard in the Aternity SE Dashboard Library or reach out to your Riverbed technical contact. Installation of the Custom Attribute Monitor is essential, and you’ll need a free Custom Attribute within your environment. Further details can be found in the Description page of the Dashboard. In the examples above, we utilized data from desktops and laptops, but observability data can also be sourced from servers in your data center, enabling similar analyses for your server landscape.

If you would like to learn more about Riverbed, visit our site, and existing users may log in to access the Riverbed Knowledge Base here. Visit these pages for further readings on the Intel Advisory, INTEL-SA-00828, and the AMD Advisory, Return Address Security Bulletin.