Hertzbleed (CVE-2022-23823 and CVE-2022-24436)

Hello World!

On June 14th 2022, a new family of side-channel attacks, frequency based, were disclosed to the public. The method is quite technical and above my level of understanding in places, additionally there isn’t anything the majority of people need to do. BUT! There is a way this has potential to affect many people due to mitigation techniques.

As some of you may notice, the name is rather similar to another vulnerability… Heartbleed. This other vulnerability came about just as I was getting into IT and security as a child and caused a headache for the professionals in my life at the time. From what I can tell other than both being cryptographic in nature… the similarities stop there.

So without being technical, what does this mean for us? Well, this vulnerability affects all Intel x86 CPUs and many AMD x86 CPUs. However, the attack would only serve a purpose on a server that handles cryptographic keys.

But hold on… you said it could affect many of us! How is that so if it’s carried out on cryptographic servers?

Well, these CPUs use something called Dynamic Voltage and Frequency Scaling. This is something that can greatly boost efficiency of a computers CPU and help control excess temperatures. This is the primary technology that is taken advantage of in these frequency side-channel attacks, a potential mitigation would be turning off the frequency scaling however… this would have a grave impact on performance.

Whilst it is ultimately up to organizations and individuals how they mitigate, in some areas there may be a drop in performance whilst software mitigations are hurried into production code, this has a chance of affecting some hosting providers. As it stands there will be no patches from Intel and AMD, but their guidance can be found via the hyperlinks.

I would encourage anyone who is interested in the topic, or works in cryptography to review the full paper found here, additionally I will be listing sources I read through to understand (what I am able to) about this vulnerability at the bottom of this page.

Lastly, a reminder about a rule of encryption. If an attacker can read the private key or the plaintext then the encryption technique, its technology and processing power are completely useless.

List of websites to look at regarding this topic (As well as the full paper linked above):