<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=645174729237247&amp;ev=PageView&amp;noscript=1">

Mitigate PLATYPUS Attack Without A Reboot

Published: Nov 12, 2020 2:18:19 PM / Last update: Nov 18, 2020 / by KernelCare Team

Mitigate PLATYPUS Attack Without A Reboot

On November 10, 2020, a team of academic researchers found a bug in Intel CPU architecture that allowed them to extract sensitive information from the processor such as encryption keys. Researchers named the vulnerability Power Leakage Attacks: Targeting Your Protected User Secrets (PLATYPUS) for the Platypus’ ability to detect electrical current with its bill. By monitoring power consumption, researchers were able to determine data being processed via the Running Average Power Limit (RAPL) interface. No instances of an exploit in the wild have been reported, but Intel released a microcode update that should be applied to any servers and devices using the processor. No patches are needed, as it was with Zombieload or Spectre & Meltdown.

Intel recommends installing updates provided by the system manufacturer, but installing firmware updates requires a reboot. We have instructions (below) that help you update the microcode without a reboot thus protecting your Intel chips. This rebootless mitigation is only applicable to Intel chipsets.

AMD is also potentially vulnerable and has released a microcode update as well. In line with industry partners, AMD has updated the RAPL interface to require privileged access. The change is in the process of being integrated into Linux distributions.

 

Mitigating PLATYPUS

According to researchers, PLATYPUS works more effectively on Linux systems, which means any server running a Linux distribution on Intel may be vulnerable and microcode should be updated as soon as possible. Because PLATYPUS can be executed remotely, it’s critical that this vulnerability is mitigated quickly but downtime is also an issue for production servers handling services.

 

You can mitigate PLATYPUS on Intel without a reboot with these two steps:

 

  1. Update microcode without a reboot. CPU microcode is the interface between software and machine-level electronics. It’s the code that runs within the CPU itself. Microcode changes are usually applied on reboot of the Linux operating system, but KernelCare’s instructions will show you how to update microcode with no reboot.
  2. Run the following command:

    sudo chmod 400 /sys/class/powercap/intel_rapl/*/energy_uj



A Brief Overview of Platypus

Linux and other operating systems monitor power consumption using Intel’s RAPL interface. The RAPL interface is included in both Intel and AMD processors and monitors CPU energy consumption to ensure that the processor does not use too much energy or overheat. The RAPL interface can be accessed without administrative access, and this gives an attacker the ability to monitor power consumption and infer values based on fluctuations. The values reported by RAPL can be accessed without administrative permissions, and Intel remediates the issue in its patch by only allowing administrator access.

 

Researchers combined RAPL power output with abuse of Intel’s Software Guard Extensions (SGX), which is a security feature that moves critical programs such as the operating system to an isolated memory environment called the enclave. SGX can be abused by an already compromised operating system and performs its security functions even with malware running on the system.

 

Using a compromised operating system, researchers were able to force the processor to execute certain instructions thousands of times within the SGX enclave and monitor power consumption using the RAPL interface. Oscillations in power usage were used to infer data including private encryption keys.

 

Until today, power side-channel attacks were very inaccurate unless the attacker had physical access to the device and was equipped with an oscilloscope. This new research demonstrates that power side-channel attacks can be carried out remotely and accurately. Tracking and reporting for PLATYPUS can be found in CVE-2020-8694 (Linux+Intel), CVE-2020-8695 (Intel), and CVE-2020-12912 (Linux+AMD).

 

For older machines, the good news is that the vulnerability only affects newer generations of the Intel processor. 

 

Read more on how KernelCare address other critical vulnerabilities:

  1. Zombieload - Critical Linux CVE Affects almost All Intel CPUs
  2. Rebootless Patches for 'Bleeding Tooth' are on the Way
  3. SWAPGS: KernelCare patches on the way
  4. SACK Panic & Slowness: KernelCare Live Patches Are Here
  5. RIDL – Another MDS Attack that Live Patching Would Have Saved You From

Topics: CVE, Zombieload

KernelCare Team

Written by KernelCare Team

    cover for blog

    Download Whitepaper

    Subscribe to Email Updates

    Recent Posts