Intel CPUs Rocked By Plundervolt Voltage Manipulating Security Exploit
Intel has posted a security advisory saying that several of its desktop and mobile processors are susceptible to a vulnerability that could allow an attacker to alter a CPU's voltage and frequency. The goal for an attacker would be to use the exploit to swipe data from within a secured area of the CPU known as Intel Software Guard eXtensions (SGX).
"Description: Improper conditions check in voltage settings for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege and/or information disclosure via local access," Intel says.
The exploit has a CVSS (Common Vulnerability Scoring System) base score of 7.9, which is labeled as High (you can read more about what this means here). Intel also notes that this vulnerability exists in its 10th, 9th, 8th, 7th, and 6th generation Core processors, as well as its Xeon E6, E3, E-2200, E-2100, V6, and V5 series CPUs.
Researchers at three universities in Europe discovered the vulnerability and named it Plundervolt. It works by leveraging the same kind of controls that someone might use to overclock a processor, except an attacker would be trying to cause errors by altering bits inside SGX, which would then compromise the data and allowed it to plundered once it exists SGX. They would also be under-volting the CPU to achieve their nefarious goals.
The researchers say this could be used to steal encryption keys or to compromise software that would otherwise be secure.
"The under-volting induces bit flips in CPU instructions itself, such as multiplications or AES rounds (AES-NI)," David Oswald, an academic at the University of Birmingham, told ZDNet. "Because SGX only encrypts the data when read from/written to memory (but not inside the CPU), SGX's memory protection does not prevent these errors (since the faulty values themselves are written to memory)."
According to Oswald, Plundervolt is fairly safe, in that it does not over-volt the CPU and cause stability issues for the user—it's unlikely a system would crash if someone leveraged this vulnerability. That's also what makes it potentially dangerous (in theory, anyway), along with the fact that everything happens so fast, at least compared to attacks like Spectre and Meltdown.
Fortunately, this can't be leveraged remotely, meaning an attacker couldn't lure a user to a compromised website and then carry out the attack. Plundervolt runs from an app on an infected PC with root or admin privileges, and does not even work in virtualized environments. So even though it is a High level security flaw, the chances of this impacting a user is pretty small.
Nevertheless, Intel has issued microcode and BIOS updates to system manufacturers, which will then get doled out to the public.