16 December 2019

Last Tuesday, Intel (1) published a patch for a new hardware vulnerability dubbed Plundervolt (CVE-2019-11157). As always with hardware vulnerabilities, Plundervolt got a lot of attention in the media.(2)(3)(4) A Google search for “plundervolt intel” shows about 167.000 hits as of today. The vulnerability was detected by a research team lead by Kit Murdock (5) some month ago.

In parallel, Microsoft published a patch for the privilege escalation vulnerability CVE-2019-1458.(6) CVE-2019-1458 is actively used in attacks (7), so it also got some media attention (Google search “CVE-2019-1458”: 88.000 hits as of today).

From my point of view, hardware vulnerabilities are always somewhat overvalued, especially in terms of their benefit in cyber operations. The vulnerabilities named RyzenFall, FallOut, Chimera and MasterKey in AMD processors, which were discovered last year, are maybe the best examples.(8) So, lets take a closer look on PlunderVolt and CVE-2019-1458.

The table below shows the CVSS V3.1 Severity for the vulnerabilities.

The main difference is in the Privileges Required (PR) to exploit the vulnerability. For Plundervolt, Murdock et al. “assume the standard Intel SGX adversary model where the attacker has full control over all software running outside the enclave (including privileged system software such as operating system and BIOS).”(5) That means that the system must already be fully compromised before Plundervolt can be exploited.

In contrast, CVE-2019-1458 allows the attacker to acquire high privileges on a system once he hijacked a standard user account. So, by exploiting CVE-2019-1458 the attacker sets up the environment to exploit Plundervolt.

From an attacker’s point of view, CVE-2019-1458 is more valuable than Plundervolt. Once one system is compromised, the attacker can use it as base of operations for the exploration of the victim’s network. In the worst case, the Active Directory is compromised within some minutes, so the attacker has access to all secrets, or he can push ransomware to all computers.

For organized crime and APTs, CVE-2019-1458 is a universally exploitable tool to achieve goals.

Plundervolt gets interesting if the attacker is interested in encryption key details which are used internally only, for example in Transparent Database Encryption (TDE) or in trusted execution environments. Murdock et al. “demonstrate the effectiveness of our attacks by injecting faults into Intel’s RSA-CRT and AES-NI implementations running in an SGX enclave, and we reconstruct full cryptographic keys with negligible computational efforts.”(5) In the worst case, this results in the loss of all data in a TDE secured database, since vendors use Intel’s AES-NI on-chip implementation to speed up cryptographic computations.

So, Plundervolt is interesting for organized crime and APTs when it comes to industrial espionage or in attacks against targets which are relevant for national security.

Fortunately, the time frame for exploitation is short. The patch for CVE-2019-1458 will be automatically rolled out through the WSUS infrastructure within the next weeks. Plundervolt should be patched, with high priority on critical systems, if a company is target of espionage or operates critical infrastructures.

Do you know your threat profile and critical systems? Without this knowledge efficient vulnerability management is not possible. Not sure? So, take it as a New Year’s resolution…

---

References

1. Intel Security Center. INTEL-SA-00289 [Internet]. Intel Security Center. 2019 [cited 2019 Dec 13]. Available from: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00289.html
2. Gatlan S. Intel Patches Plundervolt, High Severity Issues in Platform Update [Internet]. BleepingComputer. 2019 [cited 2019 Dec 13]. Available from: https://www.bleepingcomputer.com/news/security/intel-patches-plundervolt-high-severity-issues-in-platform-update/
3. O’Donnell L. Modern Intel CPUs Plagued By Plundervolt Attack | Threatpost [Internet]. threatpost. 2019 [cited 2019 Dec 13]. Available from: https://threatpost.com/intel-cpus-plundervolt-attack/151006/
4. Khandelwal S. New PlunderVolt Attack Targets Intel SGX Enclaves by Tweaking CPU Voltage [Internet]. The Hacker News. 2019 [cited 2019 Dec 13]. Available from: https://thehackernews.com/2019/12/intel-sgx-voltage-attack.html
5. Murdock K, Oswald D, Garcia FD, Van Bulck J, Gruss D, Piessens F. Plundervolt: Software-based Fault Injection Attacks against Intel SGX}. In: Proceedings of the 41st IEEE Symposium on Security and Privacy (S&P’20) [Internet]. San Francisco, CA; 2019 [cited 2019 Dec 13]. Available from: https://plundervolt.com/
6. MSRC. CVE-2019-1458 | Win32k Elevation of Privilege Vulnerability [Internet]. Microsoft Security. 2019 [cited 2019 Dec 16]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458
7. Kaspersky Global Research and Analysis Team. Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium | Securelist [Internet]. SECURELIST. 2019 [cited 2019 Dec 16]. Available from: https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/
8. Cimpanu C. AMD Confirms RyzenFall, MasterKey, Fallout, and Chimera Vulnerabilities [Internet]. BleepingComputer. 2018 [cited 2019 Dec 16]. Available from: https://www.bleepingcomputer.com/news/hardware/amd-confirms-ryzenfall-masterkey-fallout-and-chimera-vulnerabilities/