Another security attack has been discovered that can steal data from highly secure areas of Intel CPUs. Researchers from three universities in Europe have reported that this attack takes advantage of the CPU’s ability to control the voltage usage inside Intel’s SGX, which can create data leaks of sensitive information such as encryption data.
 
The new attack was given the name “Plundervolt”, and it targets Intel’s security feature called Software Guard eXtensions (SGX).  SGX is a dedicated region of cache in the CPU that allows applications and programs to run data in secure locations called “enclaves.” This keeps sensitive data from being exposed while other applications are simultaneously running on the CPU.
 
The researchers have discovered that SGX can be compromised by combining several aspects from the “Rowhammer attack” and the “CLKSCREW”, two previously discovered attacks. Rowhammer is able to change the electric charges in memory cells in DRAM (dynamic random-access memory) which will then cause contents in nearby memory rows to flip bit value such as 0 to 1. CLKSCREW took advantage of a CPU’s or SoC chipset’s DVFS (Dynamic Voltage and Frequency Scaling) energy management system to break a system’s security.
 
Similarly, Plundervolt uses the CPU’s energy management system to manipulate the voltage and frequency being used in the memory cells inside the SGX enclaves. This voltage change will alter bits in the data inside SGX, which is enough to cause errors in the SGX operations.
 
Operations such as encryption algorithms are performed inside SGX, and SGX is designed to encrypt when data is read from or written to memory, which do not protect it from these errors. This results in the encryption being compromised and easy to crack when the data leaves the SGX.
 
The attacker can then retrieve the encryption key from this data or even worse, they can introduce bugs into secure applications.
 
Plundervolt is only possible locally, meaning remote attacks must require administrative privileges. The researchers report that this would be difficult to do remotely but not necessarily impossible. But Plundervolt is considered dangerous because this method is much faster at exposing data than previous Intel CPU attacks such as Meltdown and Spectre; for example retrieving an AES key will only take a few minutes.
 
Intel has been notified of this and has issued a update to the BIOS to disable voltage and frequency control on the CPU. Intel’s advisory is detailed here: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00289.html
As well as a CVE to be released as CVE-2019-11157.
 
Intel also advises that the following CPUs would be affected by this and should update their BIOS:
 

• Intel 6th, 7th, 8th, 9th and 10th Generation Core
• Xeon E3 V5 and E3 V6
• Xeon E-2100 and E-2200

 
The research has been made available to download with the following link: https://plundervolt.com/doc/plundervolt.pdf

Original Article: https://www.zdnet.com/article/new-plundervolt-attack-impacts-intel-cpus/