CVE-2023-20583 – A new vulnerability impacting CPUs

CVE-2023-20583

Austrian and German scientists have devised a power monitoring side-channel attack targeting computer CPUs, capable of leaking sensitive data from fluctuating power levels.

This attack strategy, named Collide+Power, relies on analyzing processor power usage to discern the content of the CPU cache memory. Should an attacker gain persistent access to a victim’s hardware or a cloud computing environment sharing hardware, it could expose encryption keys and other relatively short identifiers.

Collide+Power depends on measuring changes in the electrical energy use of known data from the attacker and unknown data from the victim, and then inferring the unknown data based on these measurement differences. This method involves populating the CPU cache set with data controlled by the attacker, then overwriting it with victim data. As power consumption changes with the number of bits needed to be altered, the attacker can repeat this process by changing the known control values, and repeatedly re-measuring the power consumption to determine data in the victim’s system.

Unlike side-channel attacks similar to PLATYPUS and Hertzbleed, Collide+Power asserts to be a universal attack, applicable on any CPU that permits both attacker and victim data to reside in the same memory cache space. In comparison to attacks like Spectre, which depend on specific microarchitecture structures, researchers claim that Collide+Power is more akin to Rowhammer, originating from basic physical properties of the CPU and therefore difficult to mitigate.

This research is recognized as the first side-channel attack using power measurements to directly acquire data from processors, filling the gap in power side-channel attack detection. However, this attack strategy has a clear flaw: its incredibly slow attack rate.

Collide+Power has two types: Slow and Glacial. The first variant, called MDS-Power, can only steal data from another secure domain on the same hardware thread at a rate of 4.82 bits per hour. If an attacker intends to steal a private key from a cloud provider, it would take over a month to obtain a 4096-bit RSA key.

The other variant, called Meltdown-Power, is related to the notorious Meltdown vulnerability and can only obtain data at a rate of 0.136 bits per hour. In real conditions, the way memory prefetching works implies an even slower attack speed. Researchers estimate that if this method were adopted, it would take 2.86 years to acquire 1 bit of data from the kernel.

Researchers have disclosed their findings to AMD, ARM, and Intel. The vulnerability is tracked as CVE-2023-20583, currently without a specific score.

“A potential power side-channel vulnerability in AMD processors may allow an authenticated attacker to monitor the CPU power consumption as the data in a cache line changes over time potentially resulting in a leak of sensitive information,” AMD wrote on the advisory of CVE-2023-20583 flaw.

However, AMD has rated the severity as low, and Intel does not intend to release a notice, stating that they have evaluated this research and determined that no new mitigation measures are required. A spokesperson stated that existing features in Intel products and guidelines to alleviate power side-channel attacks are effective in this situation and other known cases.

Via: theregister