Security Experts:

Connect with us

Hi, what are you looking for?



New Side-Channel Vulnerability Leaks Sensitive Data From Intel Chips

A newly revealed side-channel attack can leak encrypted data from Intel microprocessors that use a Simultaneous Multithreading (SMT) architecture.

A newly revealed side-channel attack can leak encrypted data from Intel microprocessors that use a Simultaneous Multithreading (SMT) architecture.

Dubbed PortSmash and tracked as CVE-2018-5407, the vulnerability affects all CPUs that rely on SMT, including Intel’s Hyper-Threading architectures. By exploiting the vulnerability, an attacker could extract sensitive data such as encryption keys from a computer’s memory or processor.

The issue was discovered by researchers at Tampere University of Technology in Finland, and Universidad Tecnológica de la Habana (CUJAE) in Cuba. By exploiting the vulnerability, they were able to steal an OpenSSL P-384 private key from a TLS server.

As Billy Brumley from the Tampere University of Technology explains, the bug can be categorized as information disclosure through timing discrepancy and exists due to execution engine sharing on SMT.

The SMT technology makes it possible for multiple threads to be executed simultaneously on a CPU core. Because of this, however, malicious code could snoop into the code running on the other thread on the same core, even if it belongs to a cryptographic application, which would normally include protections against side-channel assaults.

“We detect port contention to construct a timing side channel to exfiltrate information from processes running in parallel on the same physical core,” he says.

For the attack to be successful, the malicious process needs to run on the same physical core as the victim process.

The vulnerability has been verified on Intel’s Skylake and Kaby Lake processors, and experts believe that chips from other manufacturures such as AMD could also be vulnerable. Proof-of-concept (PoC) code for Intel chips has already been published. The code was designed to measure timing discrepancies and discover and exfiltrate protected data from the victim process.

“This exploit code should work out of the box on Skylake and Kaby Lake. For other SMT architectures, customizing the strat
egies and/or waiting times in spy is likely needed,” the researcher notes.

Brumley underlines the fact that this is a hardware issue that has nothing to do with the memory subsystem or caching. He also points out that any “software that has secret dependent control flow at any granularity” is impacted.

By abusing the new type of attack, an actor could steal “generated keys and decrypt any conversation that would otherwise have been protected by the key,” Justin Jett, Director of Audit and Compliance for Plixer, told SecurityWeek in an email.

“Additionally, because the malware writer is already on the machine, they have a better understanding of where these keys may be used (for example, were the keys then moved to a specific folder that is being used by an application installed on the machine),” Jett continued.

To mitigate impact, one would need to disable SMT/Hyper-Threading in the BIOS setup. However, the option might not be available in many systems, as OpenBSD’s Mark Kettenis points out.

The vulnerability was reportedly submiited to Intel in early October. PortSmash, however, does not appear related to recently discovered attacks that rely on speculative execution, such as Spectre and Meltdown. It has nothing in common with Foreshadow/L1 Terminal Fault (L1TF) either.

“PortSmash, and all the other processor vulnerabilities like Meltdown and Spectre, is a reminder that we have to rotate the keys and certificates that serve as machine identities, much more frequently than we do,” Kevin Bocek, chief cybersecurity officer at Venafi, told SecurityWeek. “Our machine identities are kept around for years, and it’s crazy to think machine that they won’t be attacked. This is especially true a cloud and microservices environments, where these kinds of vulnerabilities are most dangerous.”

“The reality is that most keys and certificates aren’t changed often, and a surprising number are never changed,” Bocek added. “These are the machine identities that are most at risk from PortSmash.”

In February 2018, Intel announced that it would offer up to $250,000 for valid side-channel exploits reported through its bug bounty program.

UPDATE. An Intel spokesperson provided SecurityWeek the following statement:

Intel received notice of the research. This issue is not reliant on speculative execution, and is therefore unrelated to Spectre, Meltdown or L1 Terminal Fault. We expect that it is not unique to Intel platforms. Research on side-channel analysis methods often focuses on manipulating and measuring the characteristics, such as timing, of shared hardware resources. Software or software libraries can be protected against such issues by employing side channel safe development practices. Protecting our customers’ data and ensuring the security of our products is a top priority for Intel and we will continue to work with customers, partners and researchers to understand and mitigate any vulnerabilities that are identified.

Related: ICS Devices Vulnerable to Side-Channel Attacks: Researcher

Related: Intel CPUs Vulnerable to New ‘BranchScope’ Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet