Intel Processor Vulnerability - Downfall

August 2023

Advisory ID: nutanix-sa-028 CVE(s):

CVE-2022-40982

Last Updated: 09 Feb 2024

Published: 16 August 2023 CVSS: 6.5 (Medium)

Version: 1.12

Summary
A newly announced Intel processor vulnerability, also known as "Downfall," leverages a
flaw in the memory optimization features in some Intel processors that can, under the
proper circumstances, disclose hardware registers to software.

Impact
If exploited, and under specific circumstances, certain Intel processors can leak hardware
register data during the Speculative Execution of software. If collected, this could allow
an attacker to obtain sensitive information when in a multi-tenant scenario.

Affected Products
This document will be updated with information as it is obtained, and should be
considered the single source of content. Please check the Nutanix Support Portal for the
latest update.

Nutanix Products
Product Fix Release
AHV Tentatively targeted for 6.8 release. ETA
pending

Note: AHV software mitigation is only required if BIOS mitigation has not yet been
applied.

Nutanix, Inc.
Tel +1-855-688-2549 • Fax +1-408-916-4039 • Email info@nutanix.com
© 2023 Nutanix, Inc. All Rights Reserved
Hardware
For hardware platforms other than the Nutanix NX series we recommend you consult
with the hardware manufacturer for up to date information. Links, when available, will be
referenced below.

Platform Fix Release or Delivery

NX (G6/G7/G8) G6/G7 BIOS version 80.001 ; NX-LCM-3.0
Released 29 Nov 2023. (The only exception
is ‘NX-1120S-G7’ ; tentative release date
end of Jan 2024.)
G8 BIOS version 51.000 ; NX-LCM-3.1
Released 12 Dec 2023
Dell XC 14G Series BIOS 2.19.1 | Released DELL-LCM-2.6
Released 26 Sept 2023
Dell XC 15G Series BIOS 1.11.1 | Released DELL-LCM-2.6
Released 26 Sept 2023
Lenovo HX Series (Whitley) UEFI 2.10, XCC 3.80 | Lenovo-LCM-2.14
Released 11 Dec 2023
Lenovo HX Series (Purley) UEFI 4.11, XCC 9.80 | Lenovo-LCM-2.14
Released 11 Dec 2023
Fujitsu XF Series Link to vendor advisory can be found in
the Sources section below.
HPE - Gen10 BIOS 2.90 | HPE-LCM-1.8.3; Released 08
Feb 2024
HPE - Gen10 Plus BIOS 1.80 | HPE-LCM-1.8.3; Released 08 Feb
2024
Intel DCS Series Specific article(s) for Intel DCS Series
platforms is not yet available.
Cisco Series M6 (ICELAKE) UCSm v.4.2(3h) ; Cisco-LCM-1.0 Released 16
Nov 2023
Third-Party Products
Third-Party Product Fix Release
VMware ESXi Not releasing microcode as an interim fix.
Recommend contacting the respective
hardware vendor.
Microsoft Hyper-V Link to vendor advisory can be found in
the Sources section below.

Nutanix, Inc.
Tel +1-855-688-2549 • Fax +1-408-916-4039 • Email info@nutanix.com
© 2023 Nutanix, Inc. All Rights Reserved
Sources
Intel 2023.3 IPU Advisory -
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html
National Vulnerability Database (NVD) - https://nvd.nist.gov/vuln/detail/CVE-2022-40982
MITRE - ​https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982
Red Hat - https://access.redhat.com/solutions/7027704
VMware - https://blogs.vmware.com/security/2023/08/cve-2022-40982.html

Dell XC -
https://www.dell.com/support/kbdoc/en-us/000216580/dsa-2023-206-security-update-for-
dell-poweredge-server-for-intel-august-2023-security-advisories-2023-3-ipu
Lenovo HX - https://support.lenovo.com/us/en/product_security/LEN-134879#ThinkAgile
Fujitsu XF -
https://security.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-ISS-IS-2023-031500-S
ecurity-Advisory.asp?lng=com
HPE DX -
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf0451
8en_us
HPE DL -
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf0450
7en_us
Intel DCS - Not yet available
Cisco Series M6 - https://bst.cisco.com/bugsearch/bug/CSCwf30460
Microsoft Platform(s) -
https://support.microsoft.com/en-us/topic/kb5029778-how-to-manage-the-vulnerability-a
ssociated-with-cve-2022-40982-d461157c-0411-4a91-9fc5-9b29e0fe2782

Support
If you have questions, please open a case with Nutanix Support at
http://portal.nutanix.com or by calling Support at the phone number on the website
http://www.nutanix.com/support.

Thank you for being a Nutanix customer.

Nutanix, Inc.
Tel +1-855-688-2549 • Fax +1-408-916-4039 • Email info@nutanix.com
© 2023 Nutanix, Inc. All Rights Reserved
Revision History
Version Section Date

1.0 - 16 August 2023

1.1 Formatting update 17 August 2023

1.2 Updated Third-Party and Hardware sections 17 August 2023
1.3 Updated various Third-Party timelines 22 August 2023
1.4 Updated various Third-Party timelines 26 Sept 2023
Update to NX G6/G7/G8 ‘Fix Release or
1.5 06 Oct 2023
Delivery’ and Cisco Series update
Updated tentative release date for
1.6 06 Nov 2023
NX-RIM-2.27
G5/G6 Fix Released, Updated G8 release date,
1.7 20 Nov 2023
updated Cisco information and released date
1.8 Updated HPe BIOS release information 23 Nov 2023
1.9 Updated NX-RIM version for G8 platform 01 Dec 2023
Updated AHV fix release, clarification of BIOS
1.10 vs software mitigation options. Updated 12 Dec 2023
Lenovo and Dell fix release date
1.11 Updated G8 release date 19 Dec 2023
1.12 Updated HPe release date 09 Feb 2024

Nutanix, Inc.
Tel +1-855-688-2549 • Fax +1-408-916-4039 • Email info@nutanix.com
© 2023 Nutanix, Inc. All Rights Reserved