Plundervolt Attack (CVE-2019-11157)

Plundervolt Attack (CVE-2019-11157)

Improper conditions check in voltage settings for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege and/or information disclosure via local access.

Overview – Plundervolt Attack

Plundervolt Attack (CVE-2019-11157): “Improper conditions check in voltage settings for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege and/or information disclosure via local access.”

Description

A recent paper published by the researchers given below, reveals a critical vulnerability in Intel processors due to a flaw (fault injection via CPU voltage scaling) in Intel Software Guard Extension (SGX).

  • Kit Murdock, David Oswald, Flavio D Garcia (The University of Birmingham)
  • Jo Van Bulck, Frank Piessens (imec-DistriNet, KU Leuven)
  • Daniel Gruss (Graz University of Technology)

For the background, Intel Software Guard Extension (SGX) is a set of security instruction built into modern Intel CPUs to shield sensitive computations inside so-called “enclaves”. This enclave is not only physically separate from other memory inside a CPU, it is also protected via encryption, in order to secure sensitive data, like AES encryption keys.

The contents of these enclaves are protected against access or modification by any user, including the users with root privileges. However, Intel provides a software interface to enable root users control and adjust it when needed to prevent overheat and power consumption. According to the researchers, this feature is what enables an attacker to leak protected information being processed in the vault.

As the researchers explain, an attacker with root privileges in the OS can manipulate the voltage on the CPU through the software interface to reveal sensitive data, including the cryptographic keys, from the processor’s enclave computations. To put it differently, Intel’s SGX (Software Guard Extension)’s memory encryption/authentication technology cannot protect against Plundervolt, which is a type of fault injection attack.

The attack works by altering the voltage and frequency of the chip to alter bits within SGX in order to create errors in the system. These errors can later be used by the attackers to reverse engineer the data by using sophisticated side-channel observation techniques.

Fault injection attacks are not new. As a side-channel attack type, they involve manipulating the normal operating conditions of a system to discover unexpected errors. Through fault injection attacks, usually CPU’s supply voltage, internal clock or other environmental conditions are manipulated. In the Plundervolt attack, this manipulation is conducted via a software interface rather than the traditional practice of physical manipulation.

Plundervolt attack (CVE-2019-11157) is similar to the CLKScrew and VoltJockey attacks, since all these attacks are classified as “Undervolting Attacks”. Similarly, these attacks take advantage of the privileged power/clock management to inject faults into a trusted execution environment. However, CLKScrew and VoltJockey target only ARM processors and ARM Trustzone.

Plundervolt attack (CVE-2019-11157) is also similar to the Spectre and Foreshadow in that they all aim to leak information from the protected zones of the CPUs, that is enclaves. However, Spectre and Foreshadow are only attacks against confidentiality while Plundervolt can also change the values in the protected memory (thus, an attack against integrity).

Impact

An authenticated local attacker can potentially conduct privilege escalation and/or information disclosure attacks.

Impact Summary

Category: Elevation of Privilege / Information Disclosure
CVSS 3.1 Base Score: 6.7 Medium
CVSS 3.1 Vector: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Solution (Update)

To defend against possible attacks due to this vulnerability, the microcode update provided by Intel needs to be installed.

Quote by M. Uğur Aksu
Quote by M. Uğur Aksu

Software vulnerabilities, though very common, are not the biggest threat to security. Rather, the real threats are your users and your hardware. The bad news is, we don’t have a reasonable level of understanding on them. Even worse, we wouldn’t have even if we wanted to.

M. Uğur Aksu

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

References to Advisories, Solutions and Tools

You could also read our popular articles What is a Security Vulnerability? or What is Vulnerability Scanning?