"New 'Hertzbleed' Remote Side-Channel Attack Affects Intel, AMD Processors"

A team of academic researchers from the University of Texas at Austin, the University of Illinois Urbana-Champaign, and the University of Washington have identified a new side-channel method that can allow hackers to remotely extract sensitive information from a targeted system through a CPU timing attack.  The researchers named the attack Hertzbleed.  According to the researchers, Hertzbleed shows that power side-channel attacks can be turned into remote timing attacks, allowing attackers to obtain cryptographic keys from devices powered by Intel, AMD, and possibly other processors.  Hertzbleed does not require any direct power measurement and instead relies on a feature called dynamic frequency scaling, which modern processors use to reduce power consumption.  The researchers noted that under certain circumstances, periodic CPU frequency adjustments depend on the current CPU power consumption, and these adjustments directly translate to execution time differences (as 1 hertz = 1 cycle per second).  The researchers stated that an analysis of these time differences can allow an attacker or sometimes a remote attacker to target cryptographic software and obtain valuable cryptographic keys.  The attack was demonstrated against SIKE, or Supersingular Isogeny Key Encapsulation, a post-quantum key encapsulation mechanism that is used by companies such as Microsoft and Cloudflare.  The researchers noted that while Hertzbleed is not an actual vulnerability, two CVE identifiers were assigned to it: CVE-2022-23823 and CVE-2022-24436.  Intel has published two advisories to inform customers about Hertzbleed attacks.  The chipmaker has confirmed that all of its processors are impacted.  AMD has also published an advisory for Hertzbleed.  The company has listed several desktop, mobile, Chromebook, and server processors that are impacted.  The researchers have notified ARM, whose products also implement frequency scaling, but the company has not provided any feedback on whether its products are affected.  The researchers noted that workarounds are also available, but they can significantly impact performance.

SecurityWeek reports: "New 'Hertzbleed' Remote Side-Channel Attack Affects Intel, AMD Processors"