Hertzbleed disclosure raises questions for Intel

A new family of side-channel attacks dubbed "Hertzbleed" has raised questions about Intel's coordinated disclosure process.

The two vulnerabilities at the center of Hertzbleed were disclosed Tuesday by a group of researchers from the University of Texas at Austin, University of Illinois Urbana-Champaign and University of Washington. Tracked as CVE-2022-24436 and CVE-2022-23823, the flaws stem from dynamic frequency scaling features in modern processors and can enable threat actors to conduct side-channel attacks.

According a website dedicated to Hertzbleed, the weakness in dynamic frequency scaling can allow remote threat actors to steal encryption keys and other sensitive data from vulnerable systems. Although CVE-2022-24436 and CVE-2022-23823 affect Intel and AMD microprocessors, the researchers said the flaws may impact other vendors such as Cloudflare and Microsoft.

Intel's security advisory, which tracks the Hertzbleed vulnerabilities as "medium" severity, said all its processors are affected. The chip giant has not released any updates for the flaws, though it has released a detailed guidance page for developers to mitigate the flaw. AMD similarly released a security advisory that features a list of affected processors as well as mitigations.

One of the notable aspects of Hertzbleed involves the coordinated disclosure process, particularly with Intel. According to the Hertzbleed website's Q&A section, researchers submitted findings to Intel in Q3 2021. Contrary to the standard 90-day coordinated disclosure process, Intel requested an embargo many months after the initial submission.

"We disclosed our findings, together with proof-of-concept code, to Intel, Cloudflare and Microsoft in Q3 2021 and to AMD in Q1 2022," the site read. "Intel originally requested our findings be held under embargo until May 10, 2022. Later, Intel requested a significant extension of that embargo, and we coordinated with them on publicly disclosing our findings on June 14, 2022."

In a follow-up question on the site, labeled "Why did Intel ask for a long embargo, considering they are not deploying patches?" the answer given was "Ask Intel."

SearchSecurity contacted Intel for comment. In response, a spokesperson told SearchSecurity that "the issue was first found internally by Intel" and provided links to both an Intel research paper (not to be confused with a separate research paper by Hertzbleed researchers) and a podcast interview featuring two of the university researchers.

The latter link includes a blog post by Intel senior director of communications and incident response Jerry Bryant and provides additional context for Intel's response.

"While this issue is interesting from a research perspective, we do not believe this attack to be practical outside of a lab environment," Bryant wrote. "Also note that cryptographic implementations that are hardened against power side-channel attacks are not vulnerable to this issue. Also, CVE-2022-24436 is not architecture specific and any modern CPU that has dynamic power and thermal management is potentially affected Intel shared its findings with other silicon vendors so they could assess their potential impact."

The Hertzbleed research team, however, appeared to disagree with Intel's assessment and said in the research paper that the side-channel attacks have "significant" security implications.

SearchSecurity contacted multiple researchers from the Hertzbleed team to learn more about the disclosure process. One, University of Texas at Austin professor Hovav Shacham, responded.

"Thanks for your interest," he wrote in an email. "We'd rather the focus be on our technical findings than on the coordinated vulnerability disclosure process."

Hertzbleed is the latest discovery of side-channel attacks stemming from modern chip features such as speculative execution. The infamous Meltdown and Spectre flaws of 2018, as well as subsequent Spectre variants, forced Intel, AMD and ARM to make fundamental changes to their respective chip designs. In 2019, researchers discovered four new classes of side-channel attacks on Intel chips, including ZombieLoad. Another side-channel exploit involving both Intel and AMD was found in late 2020 involving power consumption fluctuations.

Alexander Culafi is a writer, journalist and podcaster based in Boston.