University researchers have discovered a vulnerability in Intel Core CPUs that can be exploited by undervolting the processors. This allows memory of the protected SGX enclaves to be modified.
The researchers call the vulnerability Plundervolt and have set up a website with information. They also published a paper explaining their discoveries and put a proof-of-concept on GitHub.
The researchers managed to manipulate the memory by adjusting the CPU voltage while calculations were being performed in the SGX enclave. The vulnerability is in Intel Core processors from the sixth generation, or the Skylake models and newer. Xeon processors from the E3 v5 and v6 series are also affected, as are the Xeon E-2100 and E-2200 series.
The vulnerability does not appear to have a major impact on consumers because it is not practical to exploit it on a large scale with, for example, malware. However, it could be used for targeted attacks. Intel has released a microcode update that should provide protection.
No physical access to systems is required to exploit the vulnerability. A possible attacker must have root access to be able to adjust the voltage of the processor. An attack with Plundervolt can be completely ruled out by turning off the option to adjust the CPU voltage in the BIOS.
This is not the first time that researchers have found a vulnerability related to Intel’s Software Guard eXtensions. Plundervolt builds on previous finds such as Spectre, Rowhammer and Clkscrew. This made it possible to read SGX enclaves, but with Plundervolt this protected memory can also be adjusted.
The Plundervolt vulnerability was discovered by researchers from the University of Birmingham, the Austrian University of Graz and KU Leuven. Researchers from those universities were previously involved in the discovery of several other vulnerabilities in Intel processors. The researchers reported to Intel as early as June. The release follows now that Intel has released a patch.