In Q3 2021, a team of researchers reported a new vulnerability with PoC code to Intel, Cloudflare, and Microsoft. In Q1 2022, the vulnerability was reported to AMD. On June 14, 2022, the information embargo was lifted, and the world came to know this vulnerability as Hertzbleed.
It’s only been a few days since Hertzbleed was revealed, and it has garnered some attention. This is unsurprising, considering its massive attack surface and the information that attackers can gain from exploitation. But how effective is the vulnerability? Can we use it as is, and who does it affect? The new website for Hertzbleed contains the paper (which is yet to be published) and some Q&A, but we’re still left with questions.
What is Hertzbleed?
Power-based side-channel attacks are those that exploit the changes in a device’s currents to derive information from them. Historically, this has involved physically connecting to systems and translating the variations in current, voltage, and frequency into data. However, physical attacks like this are limited in how devices can be accessed, and how the raw data can be parsed into information.
Hertzbleed avoids these issues by using dynamic voltage and frequency scaling (DVFS) to read differences in milliseconds between voltage and frequency, translating it into data. The researchers state the vulnerability can detect “differences as seemingly minute as a set bit’s position in a word”. This is technically similar to the physical attacks we mentioned before. Yet, these power-based attacks can be performed remotely, using part of the operating system itself to interact with the processor rather than attaching to the device.
Who does it affect, and should I be worried?
Theoretically, this vulnerability applies to all Intel and AMD x86 CPUs. Intel has specified that all its processors are affected by CVE-2022-24436 and AMD has drawn up a list of CPUs affected.
Using Ubuntu 20.04, testing has so far confirmed that the following CPUs can be exploited:
- i7-9700 (the current PoC is for this CPU)
However, this is currently limited to bare-metal servers. Some other limitations exist, where a significant amount of time and effort would be required to go through the data that would be generated. More time is often needed to then translate this data into something that can be analyzed.
Currently, the best way to completely mitigate this vulnerability is to disable Precision Boost on AMD CPUs and Turbo Boost on Intel CPUs, but this can significantly impact performance, depending on your environment.
Discovering power-based side-channel attacks can be difficult, especially when they’re physical. Based on the current PoC, these can be detected when an unexpected source loads the MSR module. In the PoC script, this looks like sudo modprobe msr and/or modprobe msr.
Module loading/unloading is part of the audit daemon in Linux. As such, looking for msr within these logs can help discover this vulnerability. Take care to analyze any alerts or information derived from this, however. The MSR module is not auto-loaded, so many OS programs or features may do this as part of their normal function.
So far, no attacks have been seen using this kind of analysis technique to discover data from DVFS. This may be because of the low practicality of the exploitation and that it’s new to the public. But, as with all cybersecurity research, there are still some steps to take beyond the initial report:
- Replication needs to be confirmed, especially over a broader set of CPUs.
- External reviews need to be conducted by other research institutions and cybersecurity experts to assess the vulnerability’s longer-term impact.
- Data recording and sharing will continue as more people try the PoC, allowing us to learn more about its features.
- Instrumentation of the vulnerability beyond this initial PoC will need to occur. Testing and releasing more tooling with a broader capture net over many CPUs, or even the entire architecture, would make it viable for penetration testing.
Can I try it out?
Due to the nature of the vulnerability, you can’t try it out on the Immersive Labs platform yet. However, a PoC code for i7-9700 CPUs released by the researchers is available to the public. Always double-check any code you’re executing on your systems and review the entire repository before executing anything within it.
As more information about this attack appears in the wild, we can learn more about its potential and how attackers are using it.
Watch out for Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86 at the 31st USENIX Security Symposium (Boston, 10–12 August 2022), where more information should be officially released from the researchers that disclosed this vulnerability.