title	excerpt	updated
How to mitigate the Downfall vulnerability	Learn about the CVE-2022-40982/Gather Data Sampling (GDS)/Downfall vulnerability and its impacts on OVHcloud products	2024-05-02

Edit 2024-05-01 15:00 CEST: Update on patching ESXI to version -> 7.0u3o and 7.0u3p (In progress)
Edit 2023-08-22 14:00 CEST: Update iPXE section to mention limitations (UEFI boot is required)
Edit 2023-08-21 10:30 CEST: Add new impacted bare metal ranges
Edit 2023-08-16 12:00 CEST: Nutanix fully mitigated
Edit 2023-08-11 17:00 CEST: Performance impact + SAP assessment update
Edit 2023-08-11 11:30 CEST: Add new impacted bare metal ranges + Public Cloud fully mitigated + Cloud Web fully mitigated
Edit 2023-08-10 20:00 CEST: Add impacted bare metal ranges

Introduction

On August 8th 2023, Intel has issued a security bulletin disclosing a vulnerability in its recent computer processor microarchitecture. Named "Gather Data Sampling (GDS)" by Intel, the vulnerability is also known as "Downfall".
Labelled CVE-2022-40982 and rated by Intel as Medium, the issue allows an attacker to potentially access sensitive information processed by the CPU in specific circumstances.
The issue affects all software running on the affected processors, including virtual machines, sandboxes, containers, and processes. Exploitation software has been released by the researchers and shows how this vulnerability could be leveraged in a multi-user context.

At least the following microarchitectures are vulnerable:

Amber Lake
Cascade Lake
Coffee Lake
Cooper Lake
Ice Lake
Rocket Lake
Skylake
Tiger Lake
Tiger Lake Refresh
Whiskey Lake

Impacts on OVHcloud products

In response to that event, we immediately reviewed the security bulletin and technical information and determined the following potential impact on our products:

Range of products	Products	Impact
Public Cloud	All products	Mitigated by OVHcloud
Hosted Private Cloud	VMware on OVHcloud	Update in progress by OVHcloud
Hosted Private Cloud	SDDC / Essentials	Not impacted
Hosted Private Cloud	Nutanix on OVHcloud	Mitigated by OVHcloud
Hosted Private Cloud	SAP on OVHcloud	Potentially impacted Check below how you can mitigate the vulnerability
Web Hosting & Domains	Cloud Web	Mitigated by OVHcloud
Web Hosting & Domains	All other products	Not impacted
Bare Metal Cloud	ADVANCE-1 ADVANCE-1 Gen 2 ADVANCE-2 ADVANCE-2 Gen 2 ADVANCE-3 ADVANCE-5 ADVANCE-6 Gen2 ADVANCE-APAC ADVANCE-APAC-LE ADVANCE-LE BF-GAME-1 BF-GAME-2 BFSTOR21-3 EG-32 GAME-1 GAME-2 GAME-32 GAME-64 GAME-64-OC GAME-LE-1 HGR-AI-1 HGR-HCI-1 HGR-HCI-2 HGR-HCI-3 HGR-SAP-1 HGR-SAP-2 HGR-SAP-3 HGR-SDS-1 HGR-STOR-1 INFRA-1 INFRA-2 INFRA-4 KS RISE-1 RISE-2 RISE-3 RISE-5 RISE-APAC RISE-APAC-0 RISE-APAC-1 RISE-APAC-2 RISE-BF-3 RISE-LE-1 RISE-LE-2 RISE-LE-5 RISE-STOR-LE-1 SCALE-4 SCALE-5 SCALE-6 SP-32-S STOR-2 SYS-2 SYS-3 SYS-4 SYS-4-SAT-32 SYS-4-SSD-16 SYS-4-SSD-32 SYS-5 SYS-5-SAT-32 SYS-5-SAT-64 SYS-5-SSD-32 SYS-5-SSD-64 SYS-GAME-1 SYS-GAME-2 SYS-GAME-APAC-1 SYS-LE-1 SYS-LE-2 SYS-LE-3 SYS-LE-4	Potentially impacted Check below how you can mitigate the vulnerability
Bare Metal Cloud	Other commercial ranges of dedicated servers	Not impacted

How to mitigate the vulnerability

Customer-initiated mitigation

Loading a patched microcode at boot with a firmware package update

This solution will trigger the update of the processor microcode through an operating system update (the linux-firmware package for instance). You might do it as soon your OS editor or community distribute the updated package. This method is dependent on your distribution or Operating System editor and will only work if the appropriate microcode has been provided by Intel.

Mitigation with an updated kernel

When an update of the microcode is not available via a firmware update package, you may update the Kernel with a version that implements a way to shut off AVX instruction set support.

It can be achieved by adding the following kernel command line parameter:

gather_data_sampling=force

We recommend using this mitigation carefully since it may have a deep impact on the overall performance of the system.

OVHcloud-initiated mitigation

OVHcloud teams are working to implement transparent solutions that will ensure the patched microcode is updated in a transparent way for our customers. Those solutions will be deployed progressively on our servers using the solution detailed below.

Using OVHcloud iPXE

The microcode update may be loaded by the bootloader when the standard OVHcloud netboot is used by customers (the most common configuration). The feature is available so rebooting the server through the OVHcloud Control Panel will cause it to load the updated microcode before booting to disk, which will mitigate the vulnerability. However, if you are booting on disk without using the OVHcloud netboot system, the mitigation will not be applied and you should consider relying on the Operating-System-level mitigation.

[!primary] Reminder: This solution requires a public interface with a public IP and UEFI boot to work. It is not compatible with legacy boot servers.

Using UEFI

The UEFI firmware update may update the CPU microcode at boot. UEFI firmware updates including the patched microcode will likely be made available by motherboard manufacturers within the next months.

Once available, OVHcloud will include this patched microcode on the UEFI for any new delivered server. Customers will then be able to request an UEFI firmware update by contacting the support.

As an administrator of a potentially vulnerable server, what should I do?

The first action is to check if your server is impacted by the vulnerability. You might use the following tool (Linux-only) developed by our team and that has been updated to take in consideration CVE-2022-40982:

wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
# sh spectre-meltdown-checker.sh --variant downfall --explain

If the tool says NOT VULNERABLE then you are already safe and no further action is needed.

{.thumbnail}

If the tool says VULNERABLE you should then evaluate your exposure to the threat.

{.thumbnail}

It is necessary to determine if the server context allows to run code from an untrusted origin.
If the server is used to provide services to untrusted end-users that can execute code (VPS, Container, shared hosting, etc.), or is used as a desktop in the cloud browsing the Web (hence possibly running 3rd party JavaScript payloads), then your server might be at risk.
If the server is used only by trusted users and/or does not allow to run untrusted code, the risk of exploitation is probably quite low. Please note however that this vulnerability might allow an attacker to gain extra privilege in a chained attack, it could be used for persistence or lateral movement in a complex kill chain.

Based on this evaluation, you should determine the emergency to trigger a mitigation and choose the most appropriate one.

What about performances?

The new microcodes have been deployed on our internal servers. Since performances are still a concern in such a situation, our teams monitored closely the impacts of the upgrades. The conclusions are reassuring so far since we did not notice a deep impact on the overall performances.

What is OVHcloud working on?

Our technical and support teams are working to ensure the risk is lowered for each of our customers impacted by the vulnerability. We mostly focus on:

Informing impacted customers to ensure they take the risk into account in their operations and implement mitigation appropriately.
Developing and integrating updates in our automation to cover the risk in a transparent way for our customers.
Security watch of the vulnerability exploitation in the wild to define the appropriate extra mitigations we can implement to protect our customer infrastructures.