• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • PlunderVolt attack hijacks Intel SGX Enclaves by tweaking CPU Voltage

PlunderVolt attack hijacks Intel SGX Enclaves by tweaking CPU Voltage

Pierluigi Paganini December 11, 2019

A team of researchers devised a new attack technique, dubbed PlunderVolt, to hijack Intel SGX enclave by tweaking CPU voltage.

A group of security researchers (Kit Murdock, David Oswald, Flavio D Garcia (The University of Birmingham), Jo Van Bulck, Frank Piessens (imec-DistriNet, KU Leuven), Daniel Gruss (Graz University of Technology)) demonstrated a new attack technique, dubbed PlunderVolt, to hijack the Intel SGX enclave by tweaking .

Intel Software Guard eXtensions (SGX) is a technology for application developers that allows protecting select code and data from disclosure or modification. The Intel SGX allows application code executing within an Intel SGX enclave, which are protected areas of execution in memory.

Enclaves are designed to be protected from processes running at higher privilege levels, including the operating system, kernel, BIOS, SMM, hypervisor.

The Plundervolt issue, tracked as CVE-2019-11157, is related to the fact that modern processors allow frequency and voltage to be adjusted when needed. An attacker could modify the voltage in a controlled way to induce errors in the memory by flipping bits and trigger the condition for the Rowhammer attack.

PlunderVolt

Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically, an attacker can change any value of the bit in the memory.

The Plundervolt attack leverages bit flipping by injecting faults in the CPU before they are written to the memory.

Plundervolt leverages a technique called CLKSCREW that exploits energy management of CPU to breach hardware security and take control over a targeted system.

“We present the Plundervolt attack, in which a privileged software adversary abuses an undocumented Intel Core voltage scaling interface to corrupt the integrity of Intel SGX enclave computations. Plundervolt carefully controls the processor’s supply voltage during an enclave computation, inducing predictable faults within the processor package. Consequently, even Intel SGX’s memory encryption/authentication technology cannot protect against Plundervolt.” reads the paper published the experts.

“We show that a privileged adversary is able to inject faults into protected enclave computations. Crucially, since the faults happen within the processor package, i.e., before the results are committed to memory, Intel SGX’s memory integrity protection fails to defend against our attacks,”

The experts published PoC videos that show how to carry out the attack by increasing or decreasing the voltage delivered to a targeted CPU. This technique allows an attacker to trigger computational faults in the encryption algorithms used by SGX enclaves, making it possible to decrypt SGX data.

The experts also released a proof-of-concept (PoC) on GitHub.

“For the first time, we bypass Intel SGX’s integrity guarantees by directly injecting faults within the processor package.” continues the paper. “We demonstrate the effectiveness of our attacks by injecting faults into Intel’s RSA-CRT and AES-NI implementations running in an SGX enclave, and we reconstruct full cryptographic keys with negligible computational efforts,” the researchers said.

“Given a pair of correct and faulty ciphertext on the same plaintext, this attack is able to recover the full 128-bit AES key with a computational complexity of only 232+256 encryptions on average. We have run this attack in practice, and it only took a couple of minutes to extract the full AES key from the enclave, including both fault injection and key computation phases.”

The Plundervolt attack works against all SGX-enabled Intel Core processors starting with the Skylake generation. Intel acknowledged the issue and released microcode and BIOS updates to address the Plundervolt flaw and tens of other high and medium severity vulnerabilities. The mitigation consists of locking voltage to the default settings.

“Intel has worked with system vendors to develop a microcode update that mitigates the issue by locking voltage to the default settings,” Intel’s blog post published today reads. “We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible.” reads the post published by Intel.

“We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible.”

Below the list of CPU models affected by the Plundervolt issue:

  • Intel 6th, 7th, 8th, 9th & 10th Generation Core Processors
  • Intel Xeon Processor E3 v5 & v6
  • Intel Xeon Processor E-2100 & E-2200 Families
  • For the full list of affected products, you can head on to Intel’s security advisory INTEL-SA-00289.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Plundervolt, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

hacking news information security news Pierluigi Paganini PlunderVolt Security Affairs Security News SGX enclaves

you might also like

Pierluigi Paganini July 26, 2025
Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme
Read more
Pierluigi Paganini July 25, 2025
Operation CargoTalon targets Russia’s aerospace with EAGLET malware,
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

    Security / July 25, 2025

    Koske, a new AI-Generated Linux malware appears in the threat landscape

    Malware / July 25, 2025

    Mitel patches critical MiVoice MX-ONE Auth bypass flaw

    Security / July 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT