A new vulnerability has been identified affecting a wide number of CPUs, but users have been told not to be overly concerned, given the sheer complexity of carrying out an attack.
That’s according to chipmaker AMD, who “believes that it is difficult to execute the attack/exploit of this vulnerability in the real world or outside of a controlled/lab-type environment.”
The warning came from a group of researchers from the Graz University of Technology and CISPA Helmholtz Center for Information Security.
Software-based Power Side Channel widely affecting CPUs
The issue, known as ‘Collide+Power,’ presents a potential power side-channel vulnerability affecting processors that could allow authenticated attacks to monitor CPU power consumption, which in turn may lead to the leak of sensitive information.
The vulnerability has been tracked as CVE-2023-20583 and was awarded a severity level of ‘low’.
Ahead of a full investigation, AMD has confirmed that “EPYC server processors contain a performance determinism mode which can be used to reduce this type of leakage” and that “Ryzen client processors support a core boost disable bit that can help reduce the changes in frequency.”
ARM also shared some information about the issue at hand, but Intel has not yet provided guidelines specific to Collide+Power. Even so, the chipmakers appear to have been cooperative in reaching an agreement to rectify the vulnerability. The team behind the discovery said: “We thank the vendors AMD, ARM, and Intel for professionally handling the responsible disclosure.”
In its own statement, Amazon said that AWS customers’ data and instances are not impacted by Collide+Power.
A full breakdown of how an attacker may be able to get access to sensitive information via a machine’s CPU can be found on the Collide+Power website. Moving forward, the Graz and CISPA researchers see a solution in preventing attackers from observing power-related signals rather than redesigning general-purpose CPUs which is a sizeable task by any measure.
