virus logo Threat Signal Report

PLATYPUS ATTACK - Newly Discovered Power Consumption Related Software Side Channel Attacks

Description

Researchers at the University of Graz published a white paper on a new software based side channel attack, dubbed PLATYPUSATTACK, and assigned CVE-2020-8694 and CVE-2020-8695. This novel attack affects Intel server, desktop, and laptop CPUs. The vulnerability lies within the Intel RAPL interface. When exploited by an unprivileged attacker (Linux), the attacker is able to utilize the vulnerability to leak secure crypto keys from secure areas of the chipset; Intel SGX enclaves. This attack is novel because prior to this attack, only hardware-based attacks with physical access to the machine made the attack possible. This latest development also provides insight into another possible attack vector, via the powercap framework on Linux. Because this framework is not restricted to privileged users on Linux, exploitation is possible via an unprivileged user. On Windows and MacOs machines, you would have to be a privileged user to exploit this vulnerability.


What are the Technical Details of the Exploit?

According to the paper, an unprivileged attacker can:

  • Leak AES-NI keys from Intel SGX enclaves and the Linux kernel space;
  • Break kernel address-space layout randomization (KASLR);
  • Infer secret instruction streams; and
  • Establish a timing-independent covert channel.
Further details highlight a privileged attack on mbed TLS utilizing precise execution control to recover RSA keys from an SGX enclave. The unprivileged angle only exists on Linux operating systems.


What does RAPL stand for?

The Running Average Power Limit (RAPL) interface allows users to manage DRAM and CPU power consumption usage on Intel devices.


What Products Are Affected?

According to the advisory, Intel has confirmed a list of CPUs affected by this vulnerability. This list can be found in the APPENDIX under "2020.2 IPU - Intel® RAPL Interface Advisory." The authors of the advisory have disclosed their findings to AMD and ARM as well; but have not been provided with an official statement.


What Operating Systems Are Affected?

Linux, MacOS, and Windows operating systems running Intel chipsets are affected.


By default, on Linux, unprivileged users have access to Intel RAPL via the powercap framework. Windows and MacOs users must install or have already installed the Intel Power Gadget, which makes the exploitation more difficult as the installation must be made by a privileged user.


Is Remote Exploitation Possible?

Yes. Unlike previous sidechannel attacks, this attack is remotely exploitable when chained together with another vulnerability or malware.


What is the Status of AV and IPS coverage?

AV and IPS coverage is not feasible for this event. These issues rely upon microcode updates at the chipset level and at the operating system level. For a list of mitigation recommendations, along with links to respective vendor pages, please see the "What Mitigation is Available?" section below, and the APPENDIX section.


How Serious of a Vulnerability is this?

MEDIUM. As the exploitation requires some sophistication to conduct, it is not considered easily exploitable. Intel has stated publicly that they have not seen any evidence of in the wild (ITW) attacks related to PLATYPUS.


Is this from the Same Authors of Meltdown and Spectre?

Yes. This is from the same institution and researchers from the Meltdown and Spectre paper of 2018.


What are the CVSS Scores for each CVE Assignment?

CVE-2020-8694

CVSS Base Score: 5.6 Medium


CVE-2020-8695

CVSS Base Score: 5.3 Medium


What Mitigation is Available?

Microsoft, in cooperation with Intel, have released a comprehensive microcode update for Windows 10 machines affected by CVE-2020-8695 (Intel Running Average Power Limit (RAPL) Interface) version 2004 and 20H2, and Windows Server, version 2004 and 20H2.


For Linux, it is recommended that users visit their respective vendor pages to update and install available patches or follow suggested mitigation whenever possible.


For MacOS and Windows users, it is suggested they uninstall the Intel Power Gadget, if feasible, as this remediates another potential attack vector. It is also suggested that users regularly visit their BIOS and hardware manufacturers security update pages for further guidance, as each vendor will have a specific approach and guidance to this latest disclosure.

Appendix

PLATYPUS ATTACK White Paper

2020.2 IPU - Intel® RAPL Interface Advisory

Windows 10 Microcode Updates (with links to non-supported versions)



ID 38
Date Nov 11, 2020
Threat/
Vulnerability		 Side Channel Attack
FortiGate Device Triggered N/A
Threat Actor Type N/A
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services