Hardware-based vulnerabilities are often impossible to fix; the mitigations via software patches generally affect the performance of the hardware. Intel users have suffered from some issues with Spectre and Meltdown issues, and with their mitigations. Now, there seems to be a new security flaw affecting both Intel and AMD CPUs in all categories.
Voltage + frequency = bingo?
Security researchers have been investigating the possibility of extracting cryptographic data from a target CPU just by measuring the power consumption while it’s processing data. While those attempts did not lead anywhere, yet, the researchers have discovered another way to abuse the CPU’s power consumption data. According to the researchers, it is possible to track the time that server spends responding to specific queries by monitoring dynamic voltage and frequency scaling data. This flaw, which is named Hertzbleed, can be tracked as CVE-2022-24436 for Intel CPUs and CVE-2022-23823 for AMD ones. It affects the 8th – 11th generations of Intel Core, Xeon, and AMD Ryzen CPUs.
While Hertzbleed has two CVEs for two CPU brands, it is not a real threat in almost any cases. The data processing on CPUs can lead to many, many different possibilities, and processes run so fast, that it is practically impossible to extract any data by abusing voltage and frequency scaling data other than the CPU’s performance. Intel states that while this issue is interesting from a research perspective, they don’t believe that it will work outside a lab environment. Neither of the CPU companies will update their chips against this technique.