Security
Headlines
HeadlinesLatestCVEs

Headline

New Hertzbleed Side-Channel Attack Affects All Modern AMD and Intel CPUs

A newly discovered security vulnerability in modern Intel and AMD processors could let remote attackers steal encryption keys via a power side channel attack. Dubbed Hertzbleed by a group of researchers from the University of Texas, University of Illinois Urbana-Champaign, and the University of Washington, the issue is rooted in dynamic voltage and frequency scaling (DVFS), power and thermal

The Hacker News
#vulnerability#intel#amd#auth#The Hacker News

A newly discovered security vulnerability in modern Intel and AMD processors could let remote attackers steal encryption keys via a power side channel attack.

Dubbed Hertzbleed by a group of researchers from the University of Texas, University of Illinois Urbana-Champaign, and the University of Washington, the issue is rooted in dynamic voltage and frequency scaling (DVFS), power and thermal management feature employed to conserve power and reduce the amount of heat generated by a chip.

“The cause is that, under certain circumstances, periodic CPU frequency adjustments depend on the current CPU power consumption, and these adjustments directly translate to execution time differences (as 1 hertz = 1 cycle per second),” the researchers said.

This can have significant security implications on cryptographic libraries even when implemented correctly as constant-time code to prevent timing-based side channels, effectively enabling an attacker to leverage the execution time variations to extract sensitive information such as cryptographic keys.

Both AMD (CVE-2022-23823) and Intel (CVE-2022-24436) have issued independent advisories in response to the findings, with the latter noting that all Intel processors are affected by Hertzbleed. No patches have been made available.

“As the vulnerability impacts a cryptographic algorithm having power analysis-based side channel leakages, developers can apply countermeasures on the software code of the algorithm. Either masking, hiding, or key-rotation may be used to mitigate the attack,” AMD stated.

While no patches have been made available to address the weakness, Intel has recommended cryptographic developers follow its guidance to harden their libraries and applications against frequency throttling information disclosure.

This is not the first time novel methods have been uncovered to siphon data from Intel processors. In March 2021, two co-authors of Hertzbleed demonstrated an “on-chip, cross-core” side-channel attack targeting the ring interconnect used in Intel Coffee Lake and Skylake processors.

“The takeaway is that current cryptographic engineering practices for how to write constant-time code are no longer sufficient to guarantee constant time execution of software on modern, variable-frequency processors,” the researchers concluded.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related news

Hertzbleed exposes computers’ secret whispers

Hertzbleed is a new side-channel attack that can recover sensitive information from a targeted system by applying CPU timing. The post Hertzbleed exposes computers’ secret whispers appeared first on Malwarebytes Labs.

CVE-2022-24436: INTEL-SA-00698

Observable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access.

'Hertzbleed' Side-Channel Attack Threatens Cryptographic Keys for Servers

A novel timing attack allows remote attackers with low privileges to infer sensitive information by observing power-throttling changes in the CPU.